We certainly don’t need to be persuaded any more that this is the information age. The Facebook-US election-Cambridge Analytica blurring of separate scandals into one mega-crisis dominates the news cycle.

Jonathan Goldsmith

Jonathan Goldsmith

At just this moment, the European Commission has been consulting on a proposal for a regulation on a framework for the interoperability of EU information systems (police and judicial cooperation, asylum and migration). It may sound dull, but it is a big deal. The EU has a proliferation of databases that keep track of people for security and migration purposes, and their interoperability will help law enforcement. But the proposal also raises obvious human rights concerns.

Before anyone turns this into a Brexit issue – ‘thank goodness we are leaving’ – it is unlikely that we will leave this aspect of the EU. The prime minister made clear in her Munich speech in February this year that she wants to continue the kind of security cooperation and data sharing that lie behind interoperability. So we should all pay attention to what the EU is doing.

For a full description of what each of the EU databases does, the recently published European Parliament Civil Liberties, Justice and Home Affairs (LIBE) committee report on ‘Interoperability of Justice and Home Affairs Information Systems’ has the scope of each fully mapped.

The complications are enormous - as is the length of the report written for the parliament. A brief article can give only a sketchy outline. But even a sketch is useful for an idea of what our future looks like in a state, within the EU or out, which holds multiple and easily accessible records about us. The records here relate mainly to crossing borders and committing crime, but there are similar records kept in many other areas of our lives.

In brief, and just to give an idea of what is covered in the EU databases, they are:

  • A Visa Information System (VIS) - infrastructure linked to national systems and consulates in third countries, with a central database and an Automated Fingerprint Identification System (AFIS)
  • European Dactyloscopy (Eurodac) - infrastructure connecting a central system with each member state’s National Access Point to provide an encrypted virtual network dedicated to data such as Member State of origin, fingerprint data etc., needed for asylum and international protection applications
  • Second-Generation Schengen Information System (SIS II) - a computerised exchange of information (names, physical characteristics, etc.) to help preserve internal security in the Schengen states because of their lack of internal border checks
  • Entry/Exit System (EES) - the systematic recording of the time of entry and exit of passengers crossing EU external borders and the provision of alerts to authorities when third-country nationals overstay in the EU; it has biometric and alphanumeric data
  • European Travel Information and Authorisation System (ETIAS) – a system to identify any risks associated with a visa-exempt visitor travelling to the Schengen area (it holds much biographical data)
  • European Criminal Records Information System for Third-country Nationals (ECRISTCN) – the name speaks for itself.

The commission’s proposed regulation will allow interoperability through four different components which will:

  • Allow competent authorities to search multiple IT systems simultaneously, using both biographical and biometric data
  • Enable the searching and comparing of biometric data (fingerprints and facial images) from several IT systems
  • Contain biographical and biometric identity data of third-country nationals available in existing EU IT systems
  • Check whether the biographical and/or biometric identity data contained in a search exists in other IT systems so as to enable the detection of multiple identities.

Responses have been coming in to the commission proposal, and this week the EU Fundamental Rights Agency (FRA) gave its opinion. It is worth mentioning, because the law which is going to provide us with our main protection against the state in the information age is the one which gives us data protection.

The FRA report focuses on two principles of the Charter of Fundamental Rights of the EU:

  • Interference with the right to respect for private and family life (Article 7) and
  • The right to protection of personal data (Article 8).

It stresses that the two core principles of data protection are:

  • Data minimisation (i.e. that data be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’), and
  • Purpose limitation (i.e. that personal data may be processed only for specified purposes that must be explicitly defined and must not be further processed in a manner that is incompatible with those purposes).

Using those two rights – and more, there is much more – the report suggests what changes should be made in the proposed regulation.

As this example shows, we will need the strongest data protection, the citizens’ version of a fortified castle, to survive the intrusions of the future.