Dear Chair, dear Honourable Members,
I'm grateful for this opportunity to continue our exchange on an important topic: the interoperability of information systems for security and borders.
This work is important, because it addresses one of the essential commodities the EU provides - in full respect of fundamental rights - to support national authorities in countering terrorism and serious crime: information.
I cannot stress enough the importance of effective information sharing as a tool to prevent terrorism – I guess we all agree on that.
To help Member States addressing today's cross-border threats, this information needs to be complete, accurate and reliable. Unfortunately, some of the tragic attacks that happened over the last two years have highlighted weaknesses in the way our information systems are built and interact. We have come to understand that there are limits in the way our systems provide information to the officers on the ground.
A major cause is that systems are unable to communicate and share information between one another. Hence the need for interoperability – which may sound boring and technical but is of crucial importance for tackling terrorism and general criminality.
So I'm grateful for your interest in this topic, and that we are dedicating time to it – at our previous exchanges on this in January and March, in various bilateral meetings with many of you, and now here today. Your engagement in this matter is very encouraging for us.
Today's discussion marks a new step in this process. Today, I'm presenting you with our ideas for the way forward on interoperability. On 16 May, in our latest progress report on the Security Union, the Commission set out its approach on how to achieve interoperability.
This is based on the findings of our High-level Expert Group, which were published on 11 May. This approach and our proposal for the way forward, is what I would like to present to you today. Before I come to that, allow me to set out the wider context of what we discuss today – the Commission's strategy on information systems for security and borders, and the work of our High-level Expert Group.
II) The Commission's strategy for stronger and smarter information systems
It was in the aftermath of the Brussels terrorist attacks of March 2016 that the Commission took a careful look at its information systems for security and borders, and at the way they work. We identified a number of structural shortcomings:
suboptimal use of existing systems by Member States;
missing functionalities in some of the existing information systems, for instance in relation to biometric data;
information gaps that lead to an incomplete picture for the officer on the ground; and
a fragmented architecture of data management where information is stored separately in unconnected systems, leading to blind spots.
To address these shortcomings, we proposed action in three areas, set out in the Communication of April 2016 on stronger and smarter information systems. And we made clear that the Charter of Fundamental Rights guides the work on implementing these actions.
First and foremost, we stressed the importance of maximising the benefits of existing information systems. We have been working hard with Member States to promote a better use of these systems. And we see clear signs of improvement here. For example, the use of the Schengen Information Systems (SIS) – our strongest law enforcement database – increased by 40% in 2016.
Where functionalities are missing, we are working to improve our systems. For example, we are establishing an Automated Fingerprint Identification System (AFIS) to allow national authorities to check individuals against the Schengen Information System on the basis of their fingerprints.
And we presented legislative proposals to further strengthen the existing systems – as we did for the asylum and irregular migration database Eurodac and the European Criminal Records Information System (ECRIS).
And where it was necessary to close important information gaps, we proposed new information systems: the EU Entry/Exit System to modernise external border management, and the European Travel Information and Authorisation System (ETIAS) to gather advance information on those travelling visa-free to the EU.
Finally, our strategy of April 2016 highlighted the need to improve the interoperability of information systems. It presented four options to achieve this – I will speak about these in more detail in a moment.
However, the Commission did not jump to conclusions. Given the legal, technical and operational challenges around interoperability, including their possible implications on fundamental rights, we wanted to take the necessary time for a careful and comprehensive analysis.
III) The work of the High-level Expert Group
This was the core task of the High-level Expert Group we set up – to assess the necessity, technical feasibility and proportionality of the options to achieve interoperability.
The work of the group was an inclusive and transparent process. Inclusive, because the Commission-led group brought together experts from Member States and Schengen associated countries, our agencies including the Fundamental Rights Agency, and the European Counter-Terrorism Coordinator and the European Data Protection Supervisor.
The LIBE Secretariat attended as an observer. The work of the group was transparent – all the meeting reports were made public. To increase this transparency further, I asked the group to present interim findings already in December – we discussed those interim findings together here in January.
The outcome of the group's work is serious and impressive, and I would like to thank all who contributed to this – including my fellow panellists here today. The Commission welcomes the final report of the group.
As regards its core task – the assessment of different options for interoperability – the group concluded that it is necessary and technically feasible to work towards the following three solutions:
a European search portal – we initially called this a single-search interface, but this led to confusion with existing national single-search interfaces;
a shared biometric matching service; and
a common identity repository.
The group concluded that, in principle, these solutions could be established in compliance with data protection requirements.
There was also a fourth option put on the table in our April 2016 strategy: the option to interconnect systems so that data registered in one system will automatically be consulted by another system. Regarding this option of interconnectivity, the group concluded that it should only be considered on a case-by-case basis.
The group also looked at a variety of other aspects related to existing information systems or possible information gaps. I'm happy to speak more about some of these aspects in our discussion. But the core task of the group was on interoperability, and it is here that we put our focus.
IV) A new approach to data management
So what is the Commission's new approach to data management for security and borders? We suggest that all centralised EU information systems for security, border and migration management should become interoperable. This concerns:
the Schengen Information System;
the Visa Information System;
the proposed EU Entry/Exit System;
the proposed European Travel Information and Authorisation System (ETIAS); and
the proposed European Criminal Records Information System (ECRIS) for third-country nationals.
What do we mean by interoperability? In order to make it work we have proposed three solutions:
First, a European search portal. This would help police and customs officers on the front line to access several EU information systems simultaneously, receiving combined results in one single screen thus allowing them to use existing systems in a better and more productive manner.
Second, a shared biometric matching service for fingerprint data held in all information systems – making a biometric data search possible across all systems in one search.
And third, a common identity repository of core identity data for all systems: meaning that name, date of birth or gender would only be stored once.
The shared biometric matching service and the common identity repository would ensure that persons can only be registered under one identity in our systems, avoiding the same person being registered in unconnected databases under different aliases – unfortunately all too frequent in the past.
As I said, the three solutions were — as a basic idea — already part of the options presented in the April 2016 strategy. Now, thanks to the work of the expert group, we have refined them and know that it is feasible to establish them, and that we could do this in compliance with fundamental rights. This enables us to propose this step change in the way we manage data for security and borders, to help national authorities in better addressing transnational threats and detecting terrorists who act across borders.
It is important here to note that this is not about creating an enormous database where everything is interconnected. In the approach proposed, each system would keep its specific purpose limitation rules, access rules and data retention rules. And the approach would not lead to the interconnectivity of all the individual systems. They would only share information on core identity and fingerprints, to ensure that an individual cannot be registered under more than one identity.
And this is not about collecting more and more new data. It is about a targeted and intelligent way of using existing information held in our systems to best effect.
Thanks to the new framework for the protection of personal data and the benefits of new technologies and IT security, it is possible to ensure that information is made available as needed whilst limiting the data processing to what is strictly necessary and proportionate. And this in line with existing purpose limitations.
So interoperability is not about undermining data protection - on the contrary. I'd like to stress that the work on interoperability is firmly embedded in the full respect of fundamental rights. Data protection law ensures that personal data is not processed unlawfully. Aliases and fake identities though are not protected by data protection law. Our approach remains: data protection by design and by default.
And as the systems are only as good as the data put into them, we are also working to improve the quality of that data. Interoperability can only work if Member States feed the information systems with accurate and complete data. We will therefore continue our work on data quality, as launched already in January. Our agency for large-scale IT systems, eu-LISA, plays an important role in ensuring high data quality. And beyond that, more generally, the agency is a crucial actor in the work towards interoperability.
V) The proposed way forward
Talking about the work towards interoperability, what process do we propose to achieve this? Four points are important here:
closing all open files on information systems that are currently discussed;
a set of new legislative proposals to strengthen eu-LISA and to supplement the proposal on the European Criminal Records Information System;
further technical analysis; and, importantly,
a joint discussion between the three institutions on the way forward.
First, we want to further intensify our work with you in the European Parliament and the Council to close all open files on information systems before the end of the year. These are also legislative priorities under the Joint Declaration by the Presidents of the three EU institutions. They should therefore be adopted before the end of the year, if at all possible.
As I said already when we discussed interoperability in March, the work on interoperability should not delay the work on these proposals. They all address important information gaps that require urgent action. We will need these information systems in any case. This is irrespective of what we decide together about what we do on interoperability.
The legal bases of all affected information systems need to be stable first. Only then can we implement our new approach in a way that is manageable. This is why we first need to reach agreement on the proposals that are currently under discussion.
The second aspect of our ideas for the way forward is a pair of legislative proposals that we will present next month.
We will propose to strengthen the legal mandate of eu-LISA. The aim is to enable the agency to play its crucial role in the work towards interoperability. The proposal will also reflect the important role of the agency in ensuring high data quality. In parallel, we will present a supplementary proposal on the European Criminal Records Information System (ECRIS). This will take into account the discussions we have had with you here in Parliament, and with the Council, on the January 2016 proposal. The aim is to establish a centralised system to identify convicted third-country nationals.
Third, we need to do some further technical analysis. The expert group concluded that it is technically feasible to establish the identified solutions for interoperability.
But the group also identified areas for further work on some of the details of these technical solutions, calling for further analysis. We will do this analysis together with eu-LISA, through a series of technical studies and proofs of concept. And again, I count on the continued input and support of the European Data Protection Supervisor and the Fundamental Rights Agency. And we will regularly update you and the Council on progress made in this technical analysis.
This brings me to the last and very important point of our proposed way forward: We invite you in the European Parliament and the Council to hold a joint discussion on interoperability. In a way, we already start this discussion today. Ministers will address our proposals on interoperability at the next Justice and Home Affairs Council in June. Building on those discussions, we suggest holding tripartite technical level meetings in autumn this year. So again, the Commission does not jump to conclusions. Again, we want to take the necessary time for discussion on these important issues.
There are clearly a number of aspects around interoperability that deserve intensive discussion among the institutions. We have always said – already in our April 2016 strategy – that the findings of the High-level Expert Group will provide a basis for a joint discussion on the way forward. It is for the co-legislators to decide, on the basis of proposals by the Commission, how we go ahead on interoperability.
The statements issued by the Counter-Terrorism Coordinator, the Fundamental Rights Agency and the European Data Protection Supervisor – we will hear more about those in a moment – underline some of the points we need to address in our joint discussion. This includes the operational needs for security and borders; questions of proportionality and how to ensure full compliance with fundamental rights. We also need to look at data quality and information security. The goal is to reach a common understanding on the way forward on interoperability, at the latest by the end of the year.
Taking advantage of these exchanges, as well as the outcome of the ongoing legislative work and further technical analysis, we aim to present as soon as possible a legislative proposal on interoperability to establish the identified solutions.
The preparation of the legislative proposal will include a public consultation and an impact assessment, including on fundamental rights.
To conclude, I'm very pleased that we now in a position to take the next step in our work towards the interoperability of information systems for security and borders. I would invite you all to continue to engage with us in the joint discussion on this important question, on the basis of the ideas and proposals we set out. I think we have a unique opportunity to make data management in the EU more effective and efficient, in full compliance with fundamental rights. This would allow us to ensure that those working on the ground for our safety have the necessary information at their disposal. It would enhance security and the protection of the external borders, for the benefit of all citizens. Thank you for your attention.