Connecting Personal Data of Third Country Nationals: Interoperability of EU Databases in the Light of the CJEU's Case Law on Data Retention

On 12 December 2017, the EU Commission presented a proposal on the interoperability of EU large-scale Information Systems. The proposal seeks to enable all centralised EU databases for security, border and migration management to be interconnected by 2020.

The underlying IT systems retain data of Third Country Nationals (TCNs), namely travellers, applicants for international protection, information relating to visa applications or data on missing persons and criminals. With the proposal, the Commission seeks to create new possibilities to exchange information, manage migration challenges and to enhance the Union’s internal security.

The interconnectivity of databases would introduce fundamental changes to the current structure of EU IT-systems and requires careful consideration and assessment of compliance with EU data protection standards. This also means that access to information in an interoperable system must be strictly aligned to the access rights of the underlying databases and that requesting authorities only obtain the data that they are authorized to access.

With interoperability, data once held in silos would be retained in three new centralized databases and would be more easily accessible, also for the prevention, investigation and prosecution of crime. Where criminal investigations previously required multiple searches in separate databases, this cascading safeguard shall progressively be abandoned to streamline access to personal data by law enforcement authorities. Despite simplified access conditions, this would require new types of processing operations for which the interoperability proposal does not provide a legal basis.

During recent years, several judgments of the Court of Justice of the European Union (CJEU) have highlighted the difficulty of striking a proper balance between the fundamental rights to privacy and data protection, enshrined in Article 7 and 8 of the Charter of Fundamental Rights of the European Union (EU Charter) with an increased demand for security and the surveillance of potential criminals. The Court repeatedly pointed out the need to strike a fair balance between these (allegedly) competing interests and emphasised that law enforcement authorities should not be granted access to personal data without prior authorization.

Using the CJEU’s judgments as vehicle and considering the assumption that TCNs risk to become subject to data retention measures in a disproportionate manner, the following analysis seeks to assess both existing EU databases and their foreseen interoperability against the requirements established by the Court in order to evaluate their (in)-compatibility with the fundamental rights standards enshrined in the EU Charter.