This article is also available in:
Deutsch: Datenschutzbeauftragter sorgt sich um erweiterte Befugnisse der Agentu...

Although not opposed to the creation by the European Commission of a security agency that would be in charge of EU visa and asylum databases, EDPS Peter Hustinx issued an opinion on 7 December 2009 showing his concern related to the expansion of the agency powers.

The Commission has proposed the creation of an agency that would run the databases used for the Schengen Information System (SIS II) on cross-border travel within the EU, the Visa Information System and EURODAC, the asylum seeker database.

Hustinx is worried because the Commission's proposal says that, besides running the respective databases, the agency should also manage other large-range IT projects. The EDPS believes that certain risks on the privacy of individuals should be "sufficiently addressed in the founding legislative instrument(s)," and urged the Commission to limit the powers of the agency. "The creation of an Agency for such large-scale databases must be based on legislation which is unambiguous about the competences and the scope of activities of the Agency. Such clarity would prevent any future misunderstanding about the conduct of the agency and avoid the risk of function creep. As currently drafted, the proposals do not meet those standards."

The EDPS's opinion is that entrusting more such large-scale IT projects to the same body would increase the risk of mistakes and wrongful use of personal data. "The total number of large-scale IT systems managed by one and the same Agency should therefore be restricted to a number with which the data protection safeguards can still sufficiently be assured. In other words, the point of departure should not be to bring as many large-scale IT-systems as possible under the operational management of one Agency."

The risk is even greater as in terms of interoperability "similar technology will be used for all systems which can therefore easily be interconnected."

For the improvement of the EC proposal, the EDPS recommends the legislator to clarify and decide whether the scope of activities of the Agency "should potentially cover all large-scale IT systems developed in the area of freedom, security and justice" and "to clarify the notion of large-scale IT systems in relation to the establishment of the Agency, and make clear whether it is limited to such systems which have as a feature the storage of data in a centralised database for which the Commission or the Agency is responsible".

Huntinx also "encourages the legislator, in the context of the proposed pilot schemes, to clarify the procedure which the Commission should follow before requesting for a pilot scheme. According to the EDPS, such a procedure should include an assessment, which might require a consultation of the European Parliament and the EDPS, of the possible impact on data protection of the initiative developed following such a request."

Security database super-agency's powers should be limited, says EU privacy watchdog (8.12.2009)
http://www.out-law.com//default.aspx?page=10586

Opinion of the European Data Protection Supervisor - on the proposal for a Regulation establishing an Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (7.12.2009)
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/...

EDPS sees advantages of new Agency for large-scale IT systems, but urges the legislator to better define its scope of activities (7.12.2009)
http://europa.eu/rapid/pressReleasesAction.do?reference=EDPS/09/14&...