Explanatory Memorandum to COM(2016)883 - Establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters - Main contents

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier	COM(2016)883 - Establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial ...
source	COM(2016)883
date	21-12-2016

1. CONTEXTOFTHEPROPOSAL

• Reasons for and objectives of the proposal

Over the course of the last two years, the European Union has been working on simultaneously addressing the separate challenges of migration management, integrated border management of the EU's external borders and the fight against terrorism and crossborder crime. Effective information exchange amongst Member States, and between Member States and the relevant EU agencies, is essential to providing a robust response to those challenges and to building an effective and genuine Security Union.

The Schengen Information System (SIS) is the most successful tool for the effective cooperation of immigration, police, customs and judicial authorities in the EU and the Schengen associated countries. Competent authorities in the Member States such as police, border guards and customs officers need to have access to high quality information about the persons or objects they are checking, with clear instructions about what needs to be done in each case. This large-scale information system is at the very heart of Schengen cooperation and plays a crucial role in facilitating the free movement of people within the Schengen area. It enables competent authorities to enter and consult data on wanted persons, persons who may not have the right to enter or stay in the EU, missing persons – in particular children – and objects that may have been stolen, misappropriated or lost. SIS not only contains information about a particular person or object but also clear instructions for the competent authorities on what to do with that person or object once found.

In 2016, the Commission carried out a comprehensive evaluation¹ of SIS, three years after the entry into operation of its second generation. This evaluation showed that SIS has been a genuine operational success. In 2015, national competent authorities checked persons and objects against data held in SIS on nearly 2.9 billion occasions and exchanged over 1.8 million pieces of supplementary information. Nonetheless, as announced in the Commission Work Programme 2017, building on this positive experience, the effectiveness and efficiency of the system should be further strengthened. To this end, the Commission is presenting a first set of three proposals to improve and extend the use of SIS as result of the evaluation while continuing its work to make existing and future law enforcement and border management systems more interoperable, following up on the ongoing work of the High Level Expert Group on Information Systems and Interoperability.

These proposals cover the use of the system (a) for border management, (b) for police cooperation and judicial cooperation in criminal matters, and (c) for the return of illegally staying third country nationals. The first two proposals together form the legal bases for the establishment, operation and use of the SIS. The proposal for the use of SIS for the return of illegally staying third country nationals supplements the proposal for border management and

Report to the European Parliament and Council on the evaluation of the second generation Schengen Information System (SIS II) in accordance with Art. 24 (5), 43 i and 50 (5) of Regulation (EC) No 1987/2006 and Art. 59 i and 66(5) of Decision 2007/533/JHA and an accompanying Staff Working Document. (OJ…).

complements the provisions contained therein. It establishes a new alert category and contributes to the implementation and monitoring of Directive 2008/115/EC².

Due to the variable geometry in Member States' participation in EU policies in the area of freedom, security and justice, it is necessary to adopt three separate legal instruments which will nonetheless work seamlessly together to enable the comprehensive operation and use of the system.

In parallel, with a view to enhancing and improving information management at EU level, in April 2016, the Commission began a process of reflection on 'Stronger and Smarter Information Systems for Borders and Security'.³ The overarching objective is to ensure that competent authorities systematically have the necessary information from different information systems at their disposal. In order to achieve this objective, the Commission has been reviewing the existing information architecture to identify information gaps and blind spots that result from shortcomings in the functionalities of existing systems, as well as from fragmentation in the EU's overall architecture of data management. The Commission set up a High Level Expert Group on Information Systems and Interoperability to support this work, whose interim findings have also informed this first set of proposals as regards issues of data quality.⁴ President Juncker's State of the Union address in September 2016 also referred to the importance of overcoming the current shortcomings in information management and of improving the interoperability and interconnection between existing information systems.

Following the findings of the High Level Expert Group on Information Systems and Interoperability, which will be presented in the first half of 2017, the Commission will consider a second set of proposals to further improve interoperability of SIS with other IT systems in mid-2017. The review of Regulation (EU) No 1077/2011⁵ concerning the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA) is an equally important element of this work and is likely to be the subject of separate Commission proposals also in 2017. Investing in swift, effective and qualitative information exchange and information management and ensuring the interoperability of EU databases and information systems is an important aspect of addressing current security challenges.

This proposal forms part of a first set of proposals⁶ to improve the functioning of SIS and its operation and use in the field of police cooperation and judicial cooperation in criminal matters. It implements:

(1) the Commission's announcement to improve the added value of the SIS for law

enforcement purposes⁷ to respond to new threats;

2. Directive 2008/115/EC of the European Parliament and of the Council of 16 December 2008 on

common standards and procedures in Member States for returning illegally staying third-country

nationals (OJ L 348, 24.12.2008, p. 98).

COM(2016) 205 final of 6.4.2016.

Commission Decision 2016/C 257/03 of 17.6.2016.

3. Regulation (EU) No 1077/2011 of the European Parliament and of the Council of 25 October 2011

establishing a European Agency for the operational management of large-scale IT systems in the area of

freedom, security and justice (OJ L 286, 1.11.2011, p.1).

Regulation (EU) 2018/xxx [border checks] and Regulation (EU) 2018/xxx [return of illegally staying

third country nationals].

See the Communication on "Delivering on the European Agenda on Security to fight against terrorism

and pave the way towards an effective and genuine Security Union", pp. 4f, COM(2016) 230 final of

20.4.2016.

2

6

(2) consolidation of the results of the work on the implementation of SIS carried out in the last three years entailing technical amendments to the Central SIS in order to extend some of the existing alert categories and provide new functionalities;

(3) recommendations for technical and procedural changes resulting from a comprehensive evaluation of the SIS ;

(4) requests from SIS end-users for technica improvements; and

(5) the interim findings of the High Level Expert Group on Information Systems and Interoperability⁹ as regards data quality.

In light of the fact that this proposal is intrinsically linked to the Commission proposal for a Regulation on the establishment, operation and use of the SIS in the field of border checks, a number of provisions are common to both texts. These include measures covering the end-to-end use of SIS, including not only the operation of the central and national systems, but also end-user needs; strengthened measures for business continuity; measures addressing data quality, data protection and data security, and provisions concerning monitoring, evaluation and reporting arrangements. Both proposals also extend the use of biometric information.

The current legal framework of the second generation of SIS — concerning its use for the purposes of police cooperation and judicial cooperation in criminal m atters — is based upon a former third pillar instrument: Council Decision 2007/533/JHA¹¹ as well as a former first pillar instrument: Regulation (EC) No 1986/2006¹² .This proposal consolidates the content of the existing instruments whilst adding new provisions so as to:

• better harmonise national procedures for the use of SIS, in particular with regard to terrorism related offences as well as children being at risk of parental abduction;

• extend the scope of SIS by introducing new elements of biom etric identifiers to existing alerts;

• introduce technical changes to improve security and help reduce admini strati ve burden by providing for compulsory national copies and common technical standards for implementation;

• address the complete end-to-end use of SIS, covering not only the central and national systems, but also ensuring that end-users receive all necessary data to perform their tasks and they comply with all security rules when they process SIS data

9

10

11

12

4. Report to the European Parliament and Council on the evaluation of the second generation Schengen

Information System (SIS II) in accordance with Art. 24 (5), 43 i and 50 (5) of Regulation (EC) No

1987/2006 and Art. 59 i and 66(5) of Decision 2007/533/JHA and an accompanying Staff Working

Document. (OJ…).

High Level Expert Group - Chairman's Report of 21 December 2016.

Please see Section 5 Other elements for detailed explanation of the changes included in this proposal

5. Council Decision 2007/533/JHA of 12 June 2007 on the establishment, operation and use of the second

generation Schengen Information System (SIS II) (OJ L 205, 7.8.2007, p. 63).

6. Regulation (EC) 1986/2006 of the European Parliament and of the Council of 20 December 2006

regarding access to the Second Generation Schengen Information System (SIS II) by the services in the

Member States responsible for issuing vehicle registration certificates (OJ L 381, 28.12.2006, p.

1).

8

•Consistency with other Union policies as well as with existing and future legal instruments

This proposal is closely linked with and complements other Union policies, namely:

(1) Internal security as underlined in the European Agenda on Security¹³ and the Commission's work towards an effective and genuine Security Union¹⁴, to prevent, detect, investigate and prosecute terrorist offences and other serious crimes by enabling law enforcement authorities to process personal data of persons suspected to be involved in acts of terrorism or serious crimes.

(2) Data protection insofar as this proposal ensures the protection of fundamental rights of individuals whose personal data is processed in SIS.

This proposal is also closely linked with and complements existing Union legislation, namely:

(3) European Border and Coast Guard as regards their access to SIS for the purposes of the proposed European Travel Information and Authorisation System (ETIAS)¹⁵, as well as for providing a technical interface for SIS access to European Border and Coast Guard Teams, teams of staff involved in return-related tasks and members of the migration management support team to, within their mandate, have the right to access and search data entered in SIS.

(4) Europol insofar as this proposal grants Europol additional rights to access and search of data, within its mandate, that have been entered in SIS.

(5) Prüm insofar as the developments in this proposal to enable the identification of individuals on the basis of fingerprints (as well as facial images and DNA profiles) complements the existing Prüm provisions¹⁶ on mutual cross-border online access to designated national DNA databases and automated fingerprint identification systems.

This proposal is also closely linked with and complements future Union legislation, namely:

(6) Management of the external borders. The proposal complements the envisaged new principle in the Schengen Borders Code of the systematic checks against relevant databases of all travellers, including the EU citizens, upon entry and exit to the Schengen area, as established in response to the phenomenon of foreign terrorist fighters.

(7) Entry/Exit System. The proposal seeks to reflect the proposed use of a combination of fingerprint and facial image as biometric identifiers for the operation of the Entry/Exit System (EES).

(8) ETIAS. The proposal takes into account the proposed ETIAS which provides for a thorough security assessment, including a check in SIS, of third country nationals who intend to travel in the EU.

7. 13 14 15 16

COM(2015) 185 final. COM(2016) 230 final. COM(2016) 731 final.

Council Decision 2008/615/JHA of 23 June 2008 on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime (OJ L 210, 6.8.2008, p.1); and Council Decision 2008/616/JHA of 23 June 2008 on the implementation of Decision 2008/615/JHA on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime (OJ L 210, 6.8.2008, p. 12).

2. LEGALBASIS, SUBSIDIARITYAND PROPORTIONALITY

• Legal basis

This proposal uses Articles 82(1)(d), 85(1), 87(2)(a) and 88(2)(a) of the Treaty on the Functioning of the European Union as the legal bases for provisions concerning police cooperation and judicial cooperation in criminal matters.

• Variable geometry

This proposal builds upon the provisions of the Schengen acquis related to police cooperation and judicial cooperation in criminal matters. Therefore the following consequences in relation to the various protocols and agreements with associated countries have to be considered:

Denmark: According to Article 4 of Protocol 22 on the position of Denmark annexed to the Treaties, Denmark shall decide, within a period of six months after the Council has decided on this Regulation, whether it will implement this proposal, which builds upon the Schengen acquis, in its national law.

The United Kingdom: In accordance with Article 5 of the Protocol on the Schengen acquis integrated into the framework of the European Union annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union and Article 8(2) of Council Decision 2000/365/EC of 29 May 2000, concerning the request of the United Kingdom of Great Britain and Northern Ireland to take part in some of the provisions of the Schengen acquis¹⁷, the United Kingdom is bound by this Regulation.

Ireland: In accordance with Article 5 of the Protocol on the Schengen acquis integrated into the framework of the European Union annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union and Article 6(2) of Council Decision 2002/192/EC of 28 February 2002 concerning Ireland's request to take part in some of the provisions of the Schengen acquis¹⁸, Ireland is bound by this Regulation.

Bulgaria and Romania: This Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis, within the meaning of Article 4(2) of the 2005 Act of Accession. This Regulation has to be read in conjunction with Council Decision 2010/365/EU of 29 June 2010¹⁹ which rendered applicable, subject to some restrictions, the provisions of the Schengen acquis related to the Schengen Information System in Bulgaria and Romania.

Cyprus and Croatia: This Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within, respectively, the meaning of Article 3(2) of the 2003 Act of Accession and Article 4(2) of the 2011 Act of Accession.

Associated Countries: On the basis of the respective agreements associating those countries with the implementation, application and development of the Schengen acquis, Iceland, Norway, Switzerland and Liechtenstein are to be bound by the Regulation proposed.

8. 17 18 19

OJ L 131, 1.6.2000, p. 43.

OJ L 64, 7.3.2002, p.20.

9. Council Decision of 29 June 2010 on the application of the provisions of the Schengen acquis relating

to the Schengen Information System in the Republic of Bulgaria and Romania (OJ L 166, 1.7.2010, p.

17).

• Subsidiarity

This proposal will develop and build upon the existing SIS, which has been operational since 1995. The original intergovernmental framework was replaced by Union instruments on 9 April 2013 (Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA). A full subsidiarity analysis has been carried out in previous occasions; this initiative aims at further refining the existing provisions, addressing identified gaps and improving operational procedures.

The considerable level of information exchange between Member States through SIS cannot be achieved via decentralised solutions. By reason of the scale, effects and impacts of the action, this proposal can be better achieved at Union level.

The objectives of this proposal encompass, inter alia, technical improvements to enhance the efficiency of SIS, as well as efforts to harmonise the use of the system across all participating Member States. Due to the transnational nature of these aims and of the challenges in ensuring effective information exchange to counter ever diversifying threats, the EU is well placed to propose solutions to these issues, which cannot be sufficiently achieved by the Member States alone.

If existing limitations to SIS are not addressed, there is a risk that numerous opportunities for maximised efficiency and EU added value are missed and that there are blind spots impeding the work of competent authorities. As an example, the lack of harmonised rules on the deletion of redundant alerts within the system can lead to the hindrance of free movement of persons as a fundamental principle of the Union.

• Proportionality

Article 5 of the Treaty on the European Union states that action by the Union shall not go beyond what is necessary to achieve the objectives set out in the Treaty. The form chosen for this EU action must enable the proposal to achieve its objective and be implemented as effectively as possible. The proposed initiative constitutes a revision of SIS in relation to police cooperation and judicial cooperation in criminal matters.

The proposal is driven by the privacy by design principles. In terms of the right to protection of personal data, this proposal is proportionate as it provides for specific alert deletion rules and does not require the collection and storage of data for longer than is absolutely necessary to allow the system to function and meet its objectives. Based on consideration of the operational requirements, this proposal reduces the retention period for object alerts and brings them into line with person related alerts (as they are many times related to personal data, such as a personal identification documents or number plates). Policing experience show that stolen property can be recovered within a relatively short period of time which makes a 10 year expiry date for object alerts unnecessarily long.

SIS alerts contain only the data which is required to identify and locate a person or an object and to enable appropriate operational action. All other additional details are provided via the SIRENE Bureaux enabling the exchange of supplementary information.

In addition, the proposal provides for the implementation of all necessary safeguards and mechanisms required for the effective protection of the fundamental rights of the data subjects; particularly the protection of their private life and personal data. It also includes provisions designed specifically to strengthen the security of individuals' personal data held in SIS.

No further processes or harmonisation will be necessary at EU level to make the system work. The envisaged measure is proportionate in that it does not go beyond what is necessary in terms of action at EU level to meet the defined objectives.

• Choice of the instrument

The proposed revision will take the form of a Regulation and will replace Council Decision 2007/533/JHA whilst retaining much of the content of that Decision. Decision 2007/533/JHA was adopted as a so-called third pillar instrument under the former Treaty on the European Union. Such third pillar instruments were adopted by the Council without the European Parliament as co-legislator. The legal basis of this proposal is in the Treaty on the Functioning of the European Union (TFEU) since the pillar structure ceased to exist with the entry into force of the Lisbon Treaty on 1 December 2009. The legal basis commands the use of the ordinary legislative procedure. The form of a Regulation (of the European Parliament and of the Council) has to be chosen because the provisions are to be binding and directly applicable in all Member States.

The proposal will build on and enhance an existing centralised system through which Member States cooperate with each other, something which requires a common architecture and binding operating rules. Moreover, it lays down mandatory rules on access to the system including for the purpose of law enforcement which are uniform for all Member States as well as the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice²⁰ (eu-LISA). Since 9 May 2013, eu-LISA is responsible for the operational management Central SIS, which consists of all tasks necessary to ensure the full operation of Central SIS 24 hours a day, 7 days a week. This proposal builds on the responsibilities of eu-LISA in relation to SIS.

Furthermore, the proposal provides for directly applicable rules enabling data subjects' access to their own data and remedies without requiring further implementing measures in this respect.

10. As a consequence, only a Regulation

can be chosen as a legal instrument.

3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER

Contents

CONSULTATIONS

Directive 2008/115/EC of the European Parliament and of the Council of 16 December 2008 on

Regulation (EU) No 1077/2011 of the European Parliament and of the Council of 25 October 2011

Report to the European Parliament and Council on the evaluation of the second generation Schengen

Council Decision 2007/533/JHA of 12 June 2007 on the establishment, operation and use of the second

Regulation (EC) 1986/2006 of the European Parliament and of the Council of 20 December 2006

13 14 15 16

17 18 19

Council Decision of 29 June 2010 on the application of the provisions of the Schengen acquis relating

As a consequence, only a Regulation

22 23

Commission Implementing Decision (EU) 2015/219 of 29 January 2015 replacing the Annex to

Commission recommendation establishing a catalogue of recommendations and best practices for the

i) Identification purposes when the subject has intentionally or unintentionally

ii) Latent prints from crime scenes. Often, the suspect leaves traces at a crime scene

Categories of data and data processing

Retention

Deletion

Rights for data subjects to access data, rectify inaccurate data and erase unlawfully stored data

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the

Sharing data on lost, stolen, invalidated and misappropriated documents with Interpol

Statistics

Monitoring and statistics

1.

CONSULTATIONS

ANDIMPACTASSESSMENTS

• Ex-post evaluations/fitness checks of existing legislation

In accordance with Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA, three years after its entry into operation, the Commission carried out an overall evaluation of Central SIS II as well as of the bilateral and multilateral exchange of supplementary information between Member States.

The results of the evaluation highlighted the need for changes to the SIS legal basis in order to provide a better response to new security and migration challenges. This includes for example a proposal to address the end-to-end perspective of SIS by regulating its use by the end-users and setting out data security standards applicable also to end-user applications, to reinforce the system for counter-terrorism purposes by providing a new action to be taken, clarify the situation of children who are under threat to be abducted by their parents as well as to expand the biometric identifiers available in the system.

²⁰ Established by Regulation (EU) No 1077/2011 of the European Parliament and of the Council of

25 October 2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (OJ L 286, 1.11.2011, p.1).

The evaluation results also showed the need for legal amendments in order to improve the technical functioning of the system and to streamline national processes. These measures will enhance the efficiency and effectiveness of SIS by facilitating its use and reducing unnecessary burden. Further measures are designed to enhance the data quality and transparency of the system by more clearly describing the specific reporting tasks of Member States and eu-LISA.

The results of the comprehensive evaluation (the evaluation report and the related Staff Working Document were adopted on 21 December 2016²¹) have formed the basis of the measures contained within this proposal.

• Stakeholder consultations

During the Commission's evaluation of SIS, feedback and suggestions were sought from relevant stakeholders, including delegates to the SISVIS Committee under the procedure established in Article 67 of Council Decision 2007/533/JHA. This Committee includes the Member States’ representatives on both operational SIRENE matters (cross-border cooperation in relation to SIS) and technical matters in the development and maintenance of SIS and the related SIRENE application.

Delegates responded to detailed questionnaires as part of the evaluation process. Where further clarification was necessary or the subject needed to be further developed this was achieved through email exchange or targeted interview. This iterative process allowed issues to be raised in a comprehensive and transparent way. Throughout 2015 and 2016, delegates to the SISVIS Committee discussed these issues in dedicated meetings and workshops.

The Commission also consulted specifically with Member State national data protection authorities and members of the SIS II Supervision Coordination Group in the field of data protection. Member States shared their experiences on subject access requests and the work of national data protection authorities by responding to a dedicated questionnaire. The responses to this questionnaire from June 2015 have informed the development of this proposal.

Internally, the Commission set up an Inter-service Steering Group including the Secretariat-General and the Directorates-General for Migration and Home Affairs, Justice and Consumers, Human Resources and Security, and Informatics. This steering group monitored the evaluation process and provided guidance as needed.

The evaluation's findings also took into account evidence collected during on-site evaluation visits to Member States examining in detail how SIS is used in practice. This includes discussions and interviews with practitioners, SIRENE Bureau staff and national competent authorities.

In light of this feedback, this proposal makes provision for measures to improve the technical and operational efficiency and effectiveness of the system.

• Collection and use of expertise

In addition to the stakeholder consultations, the Commission also sought external expertise via three studies, the findings of which have been incorporated in the developments of this proposal:

Report to the European Parliament and Council on the evaluation of the second generation Schengen Information System (SIS II) in accordance with Art. 24 (5), 43 i and 50 (5) of Regulation (EC) No 1987/2006 and Art. 59 i and 66(5) of Decision 2007/533/JHA and an accompanying Staff Working Document.

21

SIS Technical Assessment (Kurt Salmon)²²

This assessment identified the key issues in the functioning of SIS and future needs that should be addressed, primarily identifying concerns with regards to maximising business continuity and ensuring that the overall architecture can adapt to increasing capacity requirements.

• ICT Impact Assessment of Possible Improvements to the SIS II Architecture (Kurt Salmon)²³

This study assessed the current cost of operating SIS at national level and evaluated two possible technical scenarios for the improvement of the system. Both scenarios include a set of technical proposals focusing on improvements to the central system and overall architecture;

• ICT Im pact Assess ment of the technical improvements to the SIS II architecture — Final Report",10 November 2016, (Wavestone) ²⁴

This study assessed the cost impacts on Member States of the implementation of a national copy by analysing three scenarios (a fully centralised system, a standardised N.SIS implementation developed and provided by eu - LISA to Member States and a distinct N.SIS implementation with common technical sta ndards).

• Im pact assessment

The Commission did not carry out an impact assessment.

The three independent assessments mentioned above (in Collection and use of expertise ) formed the basis of consideration for the impacts of changes to the system from a technical perspective. In addition, the Commission has concluded two reviews of the SIREN E Manual since 2013, i.e. since SIS II entered into operation on 9 April 2013 and Decision 2007/533/JHA became applicable. This includes a mid-term review assessment which resulted in the launch of a new SIRENE Manual on 29 January 2015. The Commission also adopted a Catalogue of Best Practices and Recommendations²⁶. Moreover, eu - LISA and the Member States carry out regular, iterative technical improvements to the system. It is considered that these options have now been exhausted, requiring more wholesale amendment to the legal basis. Clarity in areas such as application of end-user systems as well as detailed rules on alert deletion cannot be achieved through improved implementation and enforcement alone.

Furthermore, the Commission has carried out a comprehensive evaluation of SIS as required by Articles 24 (5), 43 i and 50 (5) of Regulation (EC) No 1987/2006 and Art. 59 i and 66(5) of Decision 2007/533/JHA and published an accompanying Staff Working

11. 22 23

25

26

European Commission FINAL REPORT — SIS II technical assessment.

European Commission FINAL REPORT — ICT Impact Assessment of Possible Improvements to the

SIS II Architecture 2016.

European Commission FINAL REPORT — ICT Impact Assessment of the technical improvements to

the SIS II architecture – Final Report",10 November 2016, (Wavestone).

12. Commission Implementing Decision (EU) 2015/219 of 29 January 2015 replacing the Annex to

Implementing Decision 2013/115/EU on the SIRENE Manual and other implementing measures for the

second generation Schengen Information System (SIS II) (OJ L 44, 18.2.2015, p. 75).

13. Commission recommendation establishing a catalogue of recommendations and best practices for the

correct application of the second generation Schengen Information System (SIS II) and the exchange of

supplementary information by the competent authorities of the Member States implementing and using

SIS II (C(2015)9169/1).

24

Document. The results of the comprehensive evaluation (the evaluation report and the related Staff Working Document were adopted on 21 December 2016) have formed the basis of the measures contained within this proposal.

The Schengen evaluation mechanism, laid down in Regulation (EU) No. 1053/2013²⁷ allows the periodic legal and operational assessment of the functioning of SIS in the Member States. The evaluations are jointly carried out by the Commission and Member States. Through this mechanism, the Council makes recommendations to individual Member States, based on the evaluations carried out as part of multi-annual and annual programmes. As a result of their individual nature, these recommendations cannot replace legally binding rules which are applicable at the same time to all Member States using SIS.

The SISVIS Committee regularly discusses practical operational and technical issues. Although these meetings are instrumental in the cooperation between the Commission and the Member States, the outcome of these discussions (absent legislative changes) cannot remedy issues emerging due to diverging national practices, for example.

The changes proposed in this Regulation do not present a significant economic or environmental impact. However, these changes are expected to have a significantly positive social impact as they provide for increased security by allowing better identification of persons using false identities, criminals whose identity remains unknown after having committed a serious crime as well as missing minors. The impact of these changes on fundamental rights and data protection has been considered and set out in more detail in the next section ("Fundamental rights").

The proposal has been drawn up making use of the substantial body of evidence collected to inform the overall evaluation of the second generation of SIS, which explored the functioning of the system and possible areas for improvement. In addition, a cost impact assessment study was carried out, to ensure that the national architecture chosen was the most appropriate and proportionate.

• Fundamental rights and data protection

This proposal develops and improves an existing system, rather than establishing a new one, and hence builds upon important and effective safeguards that have already been put in place. Nevertheless, as the system continues to process personal data, and will process further categories of sensitive biometric data, there are potential impacts on an individual's fundamental rights. These have been thoroughly considered, and additional safeguards have been put in place to limit the collection and further processing of data to what is strictly necessary and operationally required, and restricting access to that data to those who have an operational need to process it. Clear data retention timeframes have been set out in this proposal, including reduced retention periods for object alerts. There is explicit recognition of and provision for individuals' rights to access and rectify data relating to them, and to request erasure in line with their fundamental rights (see section on data protection and security).

In addition, the proposal strengthens measures to protect fundamental rights, as it sets out in legislation the requirements for an alert to be deleted and introduces a proportionality assessment if an alert is being extended. More reliable identification of individuals will be

Regulation (EU) No. 1053/2013 of 7 October 2013 establishing an evaluation and monitoring mechanism to verify the application of the Schengen acquis and repealing the Decision of the Executive Committee of 16 September 1998 setting up a Standing Committee on the evaluation and implementation of Schengen (OJ L 295, 6.11,2013, p.27).

27

possible through the use of biometric data for missing persons who need protection, ensuring personal data is accurate and protected appropriately. The proposal defines extensive and robust safeguards for the use of biometric identifiers to avoid innocent persons being inconvenienced.

The proposal also requires the end-to-end security of the system, ensuring greater protection for the data stored within it. With the introduction of a clear incident management procedure, as well as improved business continuity for the SIS, this proposal fully complies with the Charter of Fundamental Rights of the European Union²⁸ as regards the right to the protection of personal data The development and continued effectiveness of SIS will contribute to the security of persons within society.

The proposal envisages significant changes concerning biometric identifiers. In addition to fingerprints, palm prints should also be collected and stored if the legal requirements are met. Fingerprint logs are attached to alphanumeric SIS alerts as provided for in Articles 26, 32, 34 and 36. It should be possible in the future to search these dactylographic data (fingerprints and palm prints) with fingerprints found at a scene of crime provided that the offence qualifies as serious crime or terrorism and that it can be stated to a high degree of probability that they belong to the perpetrator. Moreover, the proposal envisages the storage of fingerprints for so called 'unknown wanted persons' (the conditions are described in details in Section 5, Subsection 'Photographs, facial images, dactylographic data and DNA profiles'). In case of uncertainty concerning a person's identity based upon his documents, the competent authorities should carry out a fingerprint search against the fingerprints stored in the SIS database.

The proposal requires the collection and storage of additional data (such as details of the personal identification documents) that facilitates the work of the officers on the ground to establish the identity of a person.

The proposal guarantees the data subject's right to effective remedies available to challenge any decisions, which shall in any case include an effective remedy before a court or tribunal in line with Article 47 of the Charter of Fundamental Rights.

4. BUDGETARYIMPLICATIONS

SIS constitutes one single information system. Consequently, the expenditure foreseen in two of the proposals (the current one and the Proposal for a Regulation on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks) should not be considered as two separate amounts but as a single one. The budgetary implications of the changes required for the implementation of both proposals are included in one legislative financial statement.

Due to the complementary nature of the third proposal (concerning the return of illegally staying third country nationals) the budgetary implications are dealt with separately and in an independent financial statement addressing only the establishment of this specific alert category.

On the basis of an assessment of the various aspects of the work required in relation to the network, the Central SIS by eu-LISA and the national developments in the Member States, the two proposals for Regulations will require a global amount of EUR 64.3 million for the period 2018-2020.

²⁸ Charter of Fundamental Rights of the European Union (2012/C 326/02).

This covers an increase of the TESTA-NG bandwidth due to the fact that in accordance with the two proposals, the network will transmit fingerprint files and facial images requiring higher throughput and capacity (EUR 9.9 million). It also covers eu-LISA’s costs in relation to staff and operational expenditure (EUR 17.6 million). eu-LISA informed the Commission that the recruitment of 3 new contract agents is planned to take place in January 2018 to start the development phase in due time to ensure entry into operations of the updated functionalities of SIS in 2020. The present proposal entails technical amendments to the Central SIS in order to extend some of the existing alert categories and provide new functionalities. The financial statement attached to this proposal reflects these changes.

Furthermore, the Commission carried out a cost impact assessment study to assess the costs of the national developments necessitated by this proposal.²⁹ The estimated cost is EUR 36.8 million which should be distributed via a lump sum to the Member States. Hence, each Member State will receive the amount of EUR 1.2 million to upgrade its national system in accordance with the requirements set out in this proposal, including for setting up a partial national copy where this is not yet the case or for a back-up system.

A re-programming of the remainder of the Smart Borders envelope of the Internal Security Fund is planned in order to carry out the upgrades and implement the functionalities foreseen in the two proposals. The ISF Borders Regulation³⁰ is the financial instrument where the budget for the implementation of the Smart Borders package has been included. Article 5 of the Regulation provides that EUR 791 million shall be implemented through a programme for setting up IT systems supporting the management of migration flows across the external border under the conditions laid down in Article 15. Out of the above-mentioned EUR 791 million, EUR 480 million is reserved for the development of the Entry-Exit System and EUR 210 million for the development of the European Travel Information and Authorisation System (ETIAS). The remainder will be partly used to cover the costs of the changes foreseen in the two proposals concerning SIS.

5. OTHERELEMENTS

• Implementation plans and monitoring, evaluation and reporting arrangements

The Commission, Member States and eu-LISA will regularly review and monitor the use of SIS, to ensure that it continues to function effectively and efficiently. The Commission will be assisted by the SISVIS Committee to implement technical and operational measures as described in the proposal.

In addition, this proposed Regulation includes provisions in Article 71 i and (8) for a formal, regular review and evaluation process.

Every two years, eu-LISA is required to report to the European Parliament and the Council on the technical functioning – including security – of SIS, the communication infrastructure supporting it, and the bilateral and multilateral exchange of supplementary information between Member States.

29

30

Wavestone "ICT Impact Assessment of the technical improvements to the SIS II architecture – Final Report", 10 November 2016, Scenario 3 Distinct N. SIS II Implementation.

Regulation (EU) No 515/2014 of the European Parliament and of the Council of 16 April 2014 establishing, as part of the Internal Security Fund, the instrument for financial support for external borders and visa (OJ L 150, 20.5.2014, p. 143).

Furtherm ore, every four years, the Commission is required to conduct, and share with the Parliament and the Council, an overall evaluation of SIS and the exchange of information between Member States. This will:

• examine results achieved against objectives;

• assess whether the underlying rationale for the syste m remains val id;

• examine how the Regulation is being applied to the central system ;

• evaluate the security of the central system ;

• explore implications for the future functioning of the system .

eu-LISA is also now charged with providing daily, monthly and annual statistics on the use of SIS, ensuring continuous monitoring of the syste m and its functioning against objectives.

• Detailed explanation of the specific provisions of the proposal

Provisions that are common to this proposal and the proposal for a Regulation on the establishment, operation and use of the SIS in the field of border checks

• General Provisi ons (Articles 1 - 3)

• Technical architecture and ways of operating SIS (Articles 4 - 14)

• Responsibilities of eu - L IS A (Arti cl es 15 - 18)

• Right to access and retention of alerts (Articles 43, 46, 48, 50 and 51)

• General data processing and data protection rules (Articles 53 — 70)

• Monitoring and stati sti cs (Article 71 )

End-to-end use of SIS

With over 2 million end-users in the competent authorities across Europe, SIS is an extremely widely used and effective tool for information exchange. These proposals include rules covering the complete end-to-end operation of the system, including Central SIS operated by eu-LISA, the national systems and the end-user applications. It addresses not only the central and national systems, but also the end-users technical and operational needs.

Article 9(2) specifies that end-users must receive the data required to perform their tasks (in particular all data required for the identification of the data subject and to take the required action). It also provides for a common blueprint for Member State implementation of SIS, ensuring ha rm onisati on across all national systems. Article 6 stipulates that each Member State must ensure uninterrupted availability of SIS data to end-users, in order to maximise the operational benefits by reducing the possibility of downtime.

Article 10 i ensures that the security of data processing also includes the data processing activities of the end-user. Article 14 obliges Member States to ensure that staff with access to SIS receive regular and ongoing training about data security and data protection rules.

As a result of the inclusion of these measures, this proposal more comprehensively covers the full end-to-end functioning of SIS, with rules and obligations concerning the millions of end-users across Europe. In order to use SIS to its full effectiveness Member States should ensure that each time their end-users are entitled to carry out a search in a national police or immigration database, they also search SIS in parallel. This way SIS can fulfil its objective as the main compensatory measure in the area without internal border controls and Member States can better address the cross-border dimension of criminality and the mobility of

criminals. This parallel search must remain in compliance with Article 4 of Directive (EU) 2016/680³¹.

Business continuity

The proposals strengthen provisions regarding business continuity, both at national level and for eu-LISA (Articles 4, 6, 7 and 15). These ensure that SIS will continue to remain functional and accessible to staff on the ground, even if there are issues that affect the system.

Data quality

The proposal maintains the principle that the Member State, which is the data owner, is also responsible for the accuracy of the data entered in SIS (Article 56). It is, however, necessary to provide for a central mechanism managed by eu-LISA which allows Member States to regularly review those alerts in which the mandatory data fields may raise quality concerns. Therefore Article 15 of the proposal empowers eu-LISA to produce data quality reports to Member States at regular intervals. This activity may be facilitated by a data repository for producing statistical and data quality reports (Article 71). These improvements reflect the interim findings of the High Level Expert Group on Information Systems and Interoperability.

Photographs, facial images, dactylographic data and DNA profiles

The possibility to search with fingerprints with a view to identify a person is already set out in Article 22 of Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA. The proposals make this search mandatory if the identity of the person cannot be ascertained in any other way. Furthermore, changes to Article 22 and new Articles 40, 41 and 42 will allow the use of facial images, palm prints and DNA profiles to identify a person, in addition to the use of fingerprints. Currently, facial images can only be used to confirm a person's identity following an alphanumeric search, rather than serving as the basis for a search. Dactylography refers to the scientific study of fingerprints as a method of identification. Experts in dactylography recognise that palm prints have the characteristic of uniqueness and that they contain reference points that enable accurate and conclusive comparisons just as do fingerprints. Palm prints can be used to establish a person's identity in the same way that fingerprints can be used. The taking of palm prints along with the ten rolled and ten flat prints of a person has been police practice for many decades. There are two main uses of palm prints:

14. i) Identification purposes when the subject has intentionally or unintentionally

damaged the tips of their fingers. This can be through an attempt to avoid being identified or fingerprinted or through damage caused by accident or heavy manual work. In the course of the discussion on the technical rules of SIS AFIS Italy reported considerable success in the identification of irregular migrants who had intentionally damaged their fingertips in an attempt to avoid identification. The taking of palm prints by the Italian authorities allowed subsequent identification.

15. ii) Latent prints from crime scenes. Often, the suspect leaves traces at a crime scene

and these transpire to be from the palm of the hand. It is only through the routine taking of palm prints, when a person is lawfully fingerprinted, that the suspect can be identified. The palm print also usually contains detail from the base of the fingers

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data (OJ L 119, 4.5.2016, p.89).

31

which is often missing from the rolled and flat prints taken, as the latter tend to concentrate on the finger tips and upper joints.

The use of facial images for identification will ensure greater consistency between SIS and the proposed EU Entry Exit System, electronic gates and self-service kiosks. This functionality will be limited to the regular border crossings.

In cases where fingerprints or palm prints are not available, Article 22(1)(b) allows for the use of DNA profiles for missing persons who need to be placed under protection, especially children. This functionality will be used only in the absence of fingerprints and will be accessible only to authorised users. This provision therefore allows for the use of the DNA profiles via the missing person/child's parents or siblings to enable national authorities to identify and locate the individual in question. Member States already exchange this information with each other at an operational level, through the exchange of supplementary information. This proposal forms a regulatory framework around this practice, by inserting it into the substantive legislative basis for the operation and use of SIS and by implementing clear processes around the circumstances in which such profiles may be used.

The proposed changes will also allow SIS alerts to be issued for unknown persons wanted in connection with a crime, based on fingerprints or palm prints (Articles 40 - 42). These alerts may be created where for example latent fingerprints or palm prints are discovered at the scene of a serious crime and where there are strong reasons to suspect that the fingerprints belong to the perpetrator of that crime. For example when fingerprints are found on a weapon used in the commission of the crime or on any other object used by the perpetrator at the time when he committed the crime. This new alert category complements the Prüm provisions that enable interconnectivity of national criminal fingerprint identification systems. Via the Prüm mechanism, a Member State can launch a request to ascertain if the perpetrator of a crime whose fingerprints have been found is known in any other Member State (usually for investigative purposes). A person can be identified via the Prüm mechanism only if he or she has been fingerprinted in another Member State for criminal purposes. Hence, first time offenders cannot be identified. The developments in this proposal, i.e. the storage of fingerprints of unknown wanted persons, will enable the fingerprints of an unknown perpetrator to be uploaded into SIS so that he or she can be identified as wanted if encountered in another Member State. The use of this functionality presupposes that the Member States conducted a prior consultation of all available national and international sources but could not ascertain the identity of the person concerned. Sufficient safeguards are included in the proposal to ensure that under this category, SIS only stores the fingerprints of persons who are strongly suspected to have committed a serious crime or terrorist offence. Accordingly, the use of this new alert category can only be allowed in cases where the unknown perpetrator poses a major risk to public security which justifies the comparison of those prints with the fingerprints of travellers, for example to avoid that the person leave the area without internal border controls.

This provision does not allow end-users to insert fingerprints under this category where their connection to the perpetrator cannot be established. A further condition will be that the identity of the person cannot be established by using any other national, European or international databases storing fingerprints. Once such fingerprint is stored in SIS it will be used to identify persons whose identity cannot be ascertained in other ways. Should this check lead to a potential match, the Member State should carry out further checks with their fingerprints, possibly with the involvement of fingerprint experts to establish whether he or she is the owner of the prints stored in SIS, and should establish the identity of the person. The procedures are subject of national law. An identification as the owner of an 'unknown wanted person' in SIS possibly leads to an arrest.

Access to SIS

This sub-section describes the new elements in terms of access rights to SIS with regard to competent national authorities as well as EU Agencies (institutional users).

National authorities - immigration authorities

In order to ensure the most effective use of SIS, the proposal grants access to SIS to national authorities responsible for examining conditions and taking decisions relating to entry, stay and return of third-country nationals on the territory of Member States. This addition enables the consultation of SIS in relation to irregular migrants who have not been checked at regular border controls. This proposal ensures the same treatment of third country nationals who are crossing the external borders at regular border crossing points (and are thus subject of checks applicable with regard to third country nationals) and of third country nationals who are arriving irregularly to the Schengen area.

Furthermore, this proposal ensures that registration authorities for vehicles (Article 44), boats and aircraft will have limited access to the system to carry out their tasks, provided that they are governmental services. This will help to avoid the registration of the mentioned conveyances if they are stolen and searched in another Member States. The initiative is not new concerning the vehicle registration services as their access to SIS was already provided by Article 102a of the Schengen Convention and by Regulation (EC) No 1986/2006³². Following the same logic the proposal foresees the access of boat and aircraft registration authorities to SIS alerts related to boats and aircrafts.

Institutional users

Europol (Article 46), Eurojust (Article 47) and the European Border and Coast Guard Agency – as well as its teams, teams of staff involved in return-related tasks, and members of the migration management support team – (Articles 48 and 49) have the access to SIS and SIS data that they need. Appropriate safeguards are put in place to ensure that the data in the system is properly protected (including also the provisions in Article 50 requiring that these bodies may only access the data they need to carry out their tasks).

These changes extend access to SIS for Europol to missing person alerts, ensuring that it can make best use of the system as it carries out its duties, and add new provisions that ensure that the European Border and Coast Guard Agency as well as its teams can access the system while carrying out the different operations under their mandate assisting Member States. In the context of the work of the High Level Expert Group on Information Systems and Interoperability and with a view to further strengthening information sharing on terrorism, the Commission will assess if Europol should automatically receive a notification from SIS when an alert on terrorism-related activity is created.

Furthermore under Commission proposal for a Regulation of the European Parliament and of the Council establishing a European Travel Information and Authorisation System (ETIAS)³³ the ETIAS Central Unit of the European Border and Coast Guard Agency will perform searches in SIS via ETIAS in order to ascertain if the third country national applying for a

32

33

Regulation (EC) 1986/2006 of the European Parliament and of the Council of 20 December 2006 regarding access to the Second Generation Schengen Information System (SIS II) by the services in the Member States responsible for issuing vehicle registration certificates (OJ L 381, 28.12.2006, p.

1). COM (2016)731 final.

travel authorisation is subject of a SIS alert. To this end the ETIAS Central Unit will also have full access to SIS.

Specific changes to alerts

Article 26 provides for Member States to temporarily suspend alerts for arrest (in case of an ongoing police operation or investigation), making them visible only to SIRENE Bureaux but not to the officers on the ground for a limited period of time. This provision helps to avoid that a confidential police operation to arrest a highly wanted offender is jeopardised by a police officer who is not involved in the matter.

Articles 32 and 33 provide for alerts on missing persons. Changes to these allow preventive alerts to be issued in cases where parental abduction is deemed a high risk, and provide for more finely tuned categorization of missing persons alerts. Parental abductions often take place in highly planned circumstances, with the intention of rapidly leaving the Member State where the custody arrangements were agreed. These changes address a potential gap in the current legislation whereby alerts for children can only be issued once they are missing. It will allow authorities in Member States to indicate children at particular risk. These changes will mean that, where there is a high risk of imminent parental abduction, border guards and law enforcement officials are made aware of the risk and will be able to examine more closely the circumstances where an at-risk child is travelling, taking the child into protective custody if required. Supplementary information, including on the decision of the competent judicial authority that requested the alert, will be provided via the SIRENE Bureaux. The SIRENE Manual will be reviewed accordingly. This alert will require an appropriate decision of the judicial authorities granting custody only to one of the parents. A further condition will be that there is an imminent risk of abduction. The status of alerts on missing child will automatically update to reflect them reaching adulthood, when applicable.

Article 34 allows data on vehicles to be added to the alert if there is a clear indication that these are connected with the person being sought.

Article 37 introduces a new form of check, the inquiry check. This is, in particular, intended to support measures to counter terrorism and serious crime. It allows authorities to stop and question the person concerned. It is more in-depth than the existing discreet check, but does not involve searching the person and does not amount to arresting him or her. It may, however, provide sufficient information to decide on further action to be taken. Article 36 is also amended to reflect this additional type of check.

This proposal makes provision for SIS alerts to cover blank official documents and issued identity papers (Articles 36) and vehicles, including boats and aircraft (Articles 32, 34) where these are connected with alerts for people issued under these articles. Article 37 is amended to provide for action to be taken on the basis of these alerts. The objective is purely investigative as it will enable authorities to tackle situations where several persons are using authentic but look alike documents while they are not the lawful holders.

Article 38 sets out an expanded list of objects for which alerts can be issued, adding falsified documents, vehicles regardless of propulsion system (i.e. electric as well as petrol/diesel, etc.), falsified banknotes, IT equipment, and identifiable component parts of vehicles and industrial equipment. It does not contain any longer alerts on means of payment as the efficiency of those alerts remained very low and they have hardly produced any hits.

To clarify the process to be followed once an object that is subject to an alert has been found, Article 39 is amended to state that objects must be seized, in accordance with national law, in addition to contacting the authority which issued the alert.

Data protection and security

This proposal clarifies responsibility for preventing, reporting and responding to incidents that might affect the security or integrity of SIS infrastructure, SIS data or supplementary information (Arti c les 10, 16 and 57).

Article 12 conta ins provisions on keeping and searching logs of the history of alerts.

Article 12 also includes provisions relating to automated scanned searches of the number plates of motor vehicles, using Automatic Number Plate Recognition systems, obliging Member States to maintain a log of these searches in accordance with national law.

Article 15 i maintains Article 15 i of Council Decision 2007/533/JHA and provides that the Commission remains responsible for the contractual management of the communication infrastruct ure, including tasks relating to the implementation of the budget and the acquisition and renewal. These tasks will be transferred to eu - LISA in the second suite of SIS proposals in June 2017.

Article 21 extends the requirement to consider whether a case is sufficiently adequate, relevant and im portant to apply to decisions on whether the validity period of an alert should be extended. As a novelty this Article also requires member States to create an alert under Articles 34, 36 and 38 (as appropriate) in all circumstances, on those persons or their related objects whose activity falls under Articles 1, 2, 3 and 4 of Council Framework Decision 2002/475/JHA on combating terrorism.

16. Categories of data and data processing

This proposal expands the types of information (Article 20) that can be held about people for whom an alert has been issued, to also include:

• whether the person is involved any activity falling under Articles 1, 2 , 3 and 4 of Council Framework Decision 2002/475/JHA;

• other person-related remarks; the reason for the alert;

• details of the person s national reg istration number and place of registration;

• categorisation of the type of missing person case (alerts under Article 32 only);

• details of a person's identity or travel document;

• colour copy of the person s identity or travel document;

• DNA profiles (only if fingerprints suitable for identification are not available).

Article 59 expands the list of personal data that may be entered and processed in SIS for the purpose of dealing with misused identities. These data can only be entered upon the consent of the victim of misused identity. This will now also include:

• facial images;

• palm-prints;

• details of identity documents;

• the victim's address;

• the names of the victim s father and mother.

Article 20 provides for more detailed information in the alerts. It includes details of the personal identification documents of the data subjects and allowing the possibility to categorise missing children according to their disappearance, such as unaccompanied minors,

parental abduction, run-aways, etc. This is essential for the end-users to take the required measures without any delay for the protection of those children. The enhanced information allows better identification of the person concerned, and on the other hand for a more informed decision to be taken by the end-users. For the protection of the end-users carrying out the checks, SIS will also show if the person in relation to whom an alert was issued, falls under any of the categories provided in Articles 1, 2, 3 and 4 of Council Framework Decision

2002/475/JHA on combating terrorism³⁴.

The proposal makes clear that Member States must not copy data entered by another Member State into other national data files (Article 53).

17. Retention

The maximum retention period for alert on persons will be extended to five years, except for alerts for discreet, inquiry or specific checks where the retention period remains one year. Member States can always set shorter expiry periods. The extended maximum length of the expiry date follows the national practices of extending the expiry date if an alert has not yet fulfilled its purpose while the person concerned remains wanted. Moreover, it was necessary to align SIS with the retention period provided under other instruments, such as the Return Directive and Eurodac. For the sake of transparency and clarity it is necessary to provide for the same retention period for alerts on persons, except alerts created for discreet, inquiry or specific checks. The extension of the retention period does not jeopardise the interest of the data subjects as an alert cannot be kept longer than what is necessary for its purpose. Alert deletion rules have been explicitly set out in Article 52. Article 51 sets out the timeframe for reviewing alerts and includes, in particular, the reduced retention period for alerts on objects. In the absence of any operational need to retain the longer period for objects, it has now been reduced to five years to bring it in line with the retention period for person-related alerts. The expiry date for issued and blank documents, however, remains 10 years as the period of validity of documents is 10 years.

18. Deletion

Article 52 sets out the circumstances under which alerts must be deleted, bringing greater harmonisation to national practices in this area. Article 51 sets out particular provisions for SIRENE Bureau staff to delete alerts proactively that are no longer required if no reply is received from the competent authorities,.

19. Rights for data subjects to access data, rectify inaccurate data and erase unlawfully stored data

The detailed rules on the data subject's rights remained unchanged as the existing rules already ensure a high level of protection and are in line with Regulation (EU) 2016/679³⁵ and Directive 2016/680³⁶. In addition to that Article 63 sets out the circumstances under which Member States may decide not to communicate information to data subjects. This must be for

36

Council Framework Decision 2002/475/JHA of 13 June 2002 on combating terrorism (OJ L 164,

22.6.2002, p.

3).

20. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data and on the free movement of

such data and repealing Directive 95/46/EC (General Data Protection Regulation (OJ L 119, 4.5.2016,

p.

1).

21. Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data by competent authorities for

the purposes of the prevention, investigation, detection or prosecution of criminal offences or the

execution of criminal penalties, and on the free movement of such data (OJ L 119, 4.5.2016, p.89).

34

35

one of the reasons listed in this Article, and it must be a proportionate and necessary measure, in line with national law.

22. Sharing data on lost, stolen, invalidated and misappropriated documents with Interpol

Article 63 fully maintains Article 55 of Council Decision 2007/533/JHA as the better interoperability between the document section of SIS and the Interpol Stolen and Lost Document Database will be addressed by the Co mm unic atio n of the High Level Expert Group and in the second set of SIS proposals in June 2017.

23. Statistics

In order to mainta in an overview of how remedies are working in practice, Article 66 sets out provision for a standard statistical system providing annual reports on numbers of:

• data subjects' access requests;

• requests for rectification of inaccurate data and erasure of unlawfully stored data;

• cases before the courts;

• cases where the court ruled n favour of the applicant; and

• observations on cases of mutual recognition of final decisions handed down by the courts or authorities of other Member States on alerts created by the al ert-iss u ing State.

24. Monitoring and statistics

Article 71 sets out the arrangements that must be put in place to ensure the proper monitoring of SIS and its functioning against its objectives. To do this, eu - LISA is charged with providing daily, monthly and annual statistics on how the system is being used.

Article 71(5) requires e u - LISA to provide the Member States, the Commission, Europol, Eurojust and the European Border and Coast Guard Agency with statistical reports that it produces and allows the Commission to request additional statistical and data quality reports relating to SIS and SIRENE communication.

Article 71(6) provides for the creation and hosting of a central repository of data, as part of eu-LISAs work on monitoring the functioning of SIS. This will enable authorised staff of Member States, the Commission, Europol, Eurojust and the European Border and Coast Guard Agency to access the data listed in Article 71 i in order to produce the statistics required.