D3.6: Study on ID Documents

Title: EUROPEAN DATA PROTECTION AND HUMAN RIGHTS FRAMEWORK

Data Protection Directive 95/46

General overview 

Data Protection Directive 95/46 regulates the processing of personal data. Personal data are ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity’.

Biometrical data (fingerprints, photos) and alphanumerical data on persons (age, sex, name, address etc.) are personal data (Hes et al. 1999, 39). Directive 95/46 applies to Eurodac, VIS and the European Passport: this is expressly recognised in all Regulations. Moreover, these Regulations are in fact further elaborations and clarifications of the principles of data protection as laid down in Directive 95/46.

The basic principles of the Data Protection Directive are the following: Processing of personal data must be lawful and fair to the individuals concerned; personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes (finality/purpose specification principle); the data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed (proportionality principle); data processed must be accurate and where necessary, kept up to date: every reasonable step must be taken to ensure that inaccurate or incomplete data are erased or rectified.

Processing of so-called sensitive data is principally forbidden although exceptions to this principal prohibition are foreseen, such as the existence of explicit consent by the data subject; the necessity to protect the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving his consent; processing of data which are manifestly made public by the data subject.

An important obligation is that the data controller provides the data subject with at least the following information: the identity of the controller and of his representative and the purpose of the processing for which the data are intended.

A substantial safeguard relates to the confidentiality and security of the processing. Data controllers must implement appropriate technical and organisational measures to protect personal data against destruction, loss, alteration or unauthorised disclosure and access. Such measures shall “ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected”.

Data Protection law applied to machine-readable documents and identities 

Many provisions in the Regulations concerning Eurodac, VIS and the European Passport and travel documents are in fact no more than further elaborations and clarifications of the general principles laid down in Data Protection Directive 95/46.  

A first clarification regards the finality/purpose specification principle: The finality of Eurodac is to assist in the determination of the State responsible for examination of an application for asylum. Eurodac’s central database may as a result only be accessed to compare fingerprints in particular situations and depending on whether it concerns an applicant for asylum, an alien apprehended at an external border or found illegally within the Territory. The finality of VIS goes further than only achieving a common visa policy: different authorities (even ‘third pillar’ authorities) can access VIS for other purposes than related with visa (e.g. check on visa in the territory, identification of illegal immigrants and assistance in applying the Dublin Convention). The finality of the European Passport is limited to ‘verifying the authenticity of the document and the identity of the holder when the passport or travel document is required to be produced by law.

The clarifications relate also to the data retention period when the data are centrally stored in a database (see Eurodac, VIS). The Regulations indicate also who the responsible data controllers are (the Commission and the Member States) and points out some specific security and confidentiality requirements.

However, the actual content and scope of some of the provisions in the Regulations are sometimes difficult to reconcile with the principles of data protection - especially with the principle of proportionality and the purpose specification/ finality principle. We will indicate further how these Regulations may infringe data protection law.  

Human Rights in the European Union

What 

Human rights and in particular the European Convention for the Protection of Human Rights and Fundamental Freedoms apply to Eurodac, the VIS and the European passport. The VIS Proposal recognises explicitly the application of human rights. The Eurodac Regulation states that ‘… the procedure for taking fingerprints shall be determined in accordance with the safeguards laid down in the European Convention on Human Rights and in the United Nations Convention on the Rights of the Child’.

We will discuss four fundamental rights: freedom of movement of persons, the human right to data protection, the human right to a fair trail and the human right to privacy.  

Freedom of movement 

The use of the databases that we discussed above can lead to illegitimate grounds for stopping people (at border controls). It is not unimaginable that people’s applications for visa or travel documents are refused without being informed of the reasons why; that people are not informed of the reason why they are stopped at a border, or; that people are stopped solely on the grounds of personal data such as criminal convictions that are available to the access authorities. It is also not unimaginable that agents often merely follow the results of a database query. In these cases, people cannot freely move.  

In a recent case relating to the use of the SIS (the Schengen Information System), the European Court of Justice declared that Spain infringed the right of free movement of people, by refusing entry to a person into the Schengen area and by refusing to issue a visa for the purpose of entry into that territory to this person and his wife, nationals of a third country who are the spouses of Member State nationals, on the sole ground that they were persons for whom alerts were entered in the Schengen Information System for the purposes of refusing them entry, without first verifying whether the presence of those persons constituted a genuine, present and sufficiently serious threat affecting one of the fundamental interests of society. The applicable Council Directive 64/221 (Article 3) - which Spain infringed - stated that “measures taken on grounds of public policy or of public security shall be based exclusively on the personal conduct of the individual concerned” and that “Previous criminal convictions shall not in themselves constitute grounds for the taking of such measures.”

The human right to data protection 

The human right to data protection is explicitly recognised in Article 8 of the Charter of Fundamental Rights of the European Union. The right to data protection as a human right has been included in a separate Article 8, besides the right to privacy in Article 7. This highlights the difference between privacy and data protection and underlines the need for co-existence of both human rights: there are indeed circumstances where the right to privacy applies and the right to data protection does not, and vice versa (De Hert & Gutwirth, 2003; De Hert & Gutwirth, 2005).

The human right to a fair trial 

Article 6 European Charta of Human Rights guarantees the right to a fair trial. The right to a fair trial constitutes a basic element of a democratic society governed by the rule of law (De Hert, 2005). Specific guarantees exist under Article 6, second paragraph: ‘Everyone charged with a criminal offence shall be presumed innocent until proved guilty according to law’.

The human right to privacy 

Article 8 of the European Convention on Human Rights (ECHR) provides for the fundamental right of privacy.

The European Court of Justice (ECJ) has confirmed that the criteria and limitations set forward by Article 8 apply when assessing whether processing of personal data conforms to Community law.

Article 8 imposes strict limitations on interference with an individual’s private sphere by public authorities: If there is a law that provides for an interference with private life, such interference must be further justified. An important limitation on the interference by a public authority with an individual’s private life is the ‘necessity criterion’: the interference must be ‘necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others’.

This necessity criterion imposed by privacy law relates to the proportionality principle of data protection law: ‘personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed’. Non-compliance with the proportionality requirement of data protection law (namely when inadequate, irrelevant or excessive data are processed) implies at the same time that the necessity requirement imposed by privacy law may be infringed (in situations of course when the right to privacy of Article 8 ECHR applies). The European Court of Human Rights confirms this: ‘the notion of necessity implies a ‘pressing social need’; in particular, the measure employed must be proportionate to the legitimate aim pursued”. If too many or irrelevant data are processed in relation to the purpose of the processing, the processing can be considered as illegitimate.

We will further indicate how the different Regulations might infringe these principles.