EURODAC and data protection (2/2) : Protection framework
If EURODAC intends to participate in the effective control of the Union’s external borders, and aims at optimal regulation of migration flows, the n ature of the data collected raises questions about the protection of the persons concerned by the collection and processing of these data. In fact, when studying the existing regulatory framework, the multitude of rules applicable in this area should be highlighted.
Indeed, recital 43 of the EURODAC Regulation refers to the rules contained in Regulation (EU) N°2018/1725 of the European Parliament and of the Council of 23 October 2018 when the data processing is carried out by Union institutions, bodies, offices and agencies (eu-LISA in the framework of EURODAC).
Conversely, in cases where the collection and processing is carried out by a Member State, two texts are likely to apply. The first of these is Regulation (EU) N°2016/679 of the European Parliament and of the Council of 27 April 2016, also known as the General Data Protection Regulation (GDPR), which is well known and which lays down a number of provisions and guarantees for the benefit of data subjects, in particular in terms of purpose and data limitation, lawfulness, fairness and transparency of processing operations. However, this Regulation does not apply in cases where processing activities are carried out by competent authorities for the purpose of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the protection against, prevention of and response to threats to public security and the free movement of such data. Indeed, in these cases, a second text applies, which is Directive (EU) N°2016/680 of the European Parliament and of the Council, known as the “Police-Justice” Directive, to which must also be added possible transposition standards which, according to the States, may be stricter than the provisions of the Directive.
Above all, in addition to these general texts, the Union has developed legal regimes specific to certain bodies or organisations of the Union, and to certain databases. This is the case with EURODAC, for which Regulation N°603/2013 provides in Chapter VII for special rules on the responsibility of the Member State of origin for data processing (Article 23), transmission of data to the Central System and between Member States (Articles 24 and 26), and the rights of the data subjects concerned by the collection and processing (Article 29).
However, this plurality of applicable provisions leads to two notable consequences:
The first concerns the readability of the general framework applicable. Indeed, the multitude of applicable provisions is not such as to make the framework comprehensible and more transparent to the layman, who often finds himself drowned under the legal rules applicable to the processing in question. This situation is therefore likely to hamper the principle of transparency which should guide collection and processing operations and, above all, to hinder the understanding and exercise of the rights of data subjects.
The second consequence lies in the scope of protection. Indeed, in the context of the management of external borders, biometric data are massively used. Taking up the general scheme of the GDPR, biometric data are subject to a more extensive protection due to their sensitive nature. However, this is not the case with the “police-justice” directive which, under cover of a public security imperative, does not provide for a special legal regime for sensitive data (and therefore biometric data). Moreover, the notion of consent as a condition for the lawfulness of processing, which is at the heart of the GDPR, is not a necessary condition for processing under the regime established by the “police-justice” directive.