Explanatory Memorandum to COM(2017)793 - Establishing a framework for interoperability between EU information systems (borders and visa)

Please note

This page contains a limited version of this dossier in the EU Monitor.



1. CONTEXTOFTHEPROPOSAL

Background of the proposal

In the past three years, the EU has experienced an increase in irregular border crossings into the EU, and an evolving and ongoing threat to internal security as demonstrated by a series of terrorist attacks. EU citizens expect external border controls on persons, and checks within the Schengen area, to be effective, to enable effective management of migration and to contribute to internal security. These challenges have brought into sharper focus the urgent need to join up and strengthen in a comprehensive manner the EU’s information tools for border management, migration and security.

Information management in the EU can and must be made more effective and efficient, in full respect of fundamental rights including, in particular, the right to the protection of personal data, in order to better protect the EU’s external borders, improve the management of migration and enhance internal security for the benefit of all citizens. There are already a number of information systems at EU level, and more systems are being developed, to provide border guards, immigration and law enforcement officers with relevant information on persons. For this support to be effective, the information provided by EU information systems needs to be complete, accurate and reliable. However, there are structural shortcomings in the EU information management architecture. National authorities face a complex landscape of differently governed information systems. Moreover, the architecture of data management for borders and security is fragmented, as information is stored separately in unconnected systems. This leads to blind spots. As a consequence, the various information systems at EU level are currently not interoperable — that is, able to exchange data and share information so that authorities and competent officials have the information they need, when and where they need it. Interoperability of EU-level information systems can significantly contribute to eliminating the current blind spots where persons, including those possibly involved in terrorist activities, can be recorded in different, unconnected databases under different aliases.

In April 2016, the Commission presented a Communication Stronger and smarter information systems for borders and security1 to address a number of structural shortcomings related to information systems.2 The aim of the April 2016 Communication was to initiate a discussion on how information systems in the European Union can better enhance border and migration management and internal security. The Council, for its part, similarly recognised the urgent need for action in this area. In June 2016, it endorsed a roadmap to enhance information exchange and information management including interoperability solutions in the Justice and Home Affairs area.3 The purpose of the roadmap was to support operational investigations and to swiftly provide front-line practitioners — such as police officers, border guards, public prosecutors, immigration officers and others — with comprehensive, topical and high-quality information to cooperate and act effectively. The European Parliament has

COM(2016) 205 of 6 April 2016.

Sub-optimal functionalities in some of the existing information systems; i information gaps in the EU’s

architecture of data management; a complex landscape of differently governed information systems; and

a fragmented architecture of data management for borders and security where information is stored

separately in unconnected systems, leading to blind spots.

1.

Roadmap of 6 June 2016 to enhance information exchange and information management including


3

also urged action in this area. In its July 2016 Resolution4 on the Commission’s work programme for 2017, the European Parliament called for ‘proposals to improve and develop existing information systems, address information gaps and move towards interoperability, as well as proposals for compulsory information sharing at EU level, accompanied by necessary data protection safeguards’. President Juncker's State of the Union address in September 20165 and the European Council conclusions of December 20166 highlighted the importance of overcoming the current shortcomings in data management and of improving the interoperability of existing information systems.

In June 2016, as a follow-up to the April 2016 Communication, the Commission set up a high-level expert group on information systems and interoperability7 in order to address the legal, technical and operational challenges of enhancing interoperability between central EU systems for borders and security, including their necessity, technical feasibility, proportionality and data protection implications. The final report of the high-level expert group was published in May 2017.8 It set out a range of recommendations to strengthen and develop the EU’s information systems and their interoperability. The EU Agency for Fundamental Rights, the European Data Protection Supervisor and the EU Counter-Terrorism Coordinator all participated actively in the work of the expert group. Each submitted supportive statements, while acknowledging that wider issues on fundamental rights and data protection had to be addressed in moving forward. Representatives of the Secretariat of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs and of the General Secretariat of the Council attended as observers. The high-level expert group concluded that it is necessary and technically feasible to work towards practical solutions for interoperability and that they can, in principle, both deliver operational gains and be established in compliance with data protection requirements.

Building on the expert group’s report and recommendations, the Commission set out, in the Seventh progress report towards an effective and genuine Security Union,9 a new approach to the management of data for borders, security and migration management where all centralised EU information systems for security, border and migration management are interoperable in full respect of fundamental rights. The Commission announced its intention to pursue work towards creating a European search portal capable of querying simultaneously all relevant EU systems in the areas of security, border and migration management, possibly with more streamlined rules for law enforcement access, and to develop for these systems a shared biometric matching service (possibly with a hit-flagging functionality10) and a common identity repository. It announced its intention to present, as soon as possible, a legislative proposal on interoperability.

5

European Parliament resolution of 6 July 2016 on the strategic priorities for the Commission Work Programme 2017 (2016/2773(RSP).

State of the Union 2016 (14.9.2016), https://ec.europa.eu/commission/state-union-2016_en.

European Council conclusions (15.12.2016), www.consilium.europa.eu/en/meetings">www.consilium.europa.eu/en/meetings.

Commission Decision of 17 June 2016 setting up the high-level expert group on information systems and interoperability — 2016/C 257/03.

ec.europa.eu/transparency/regexpert. COM(2017) 261 final. New privacy-by-design concept that restricts the access to all data by limiting it to a mere ‘hit/no-hit’

4

6

7

The European Council conclusions of June 201711 reiterated the need to act. Building on the June 2017 conclusions12 of the Justice and Home Affairs Council, the European Council invited the Commission to prepare, as soon as possible, draft legislation enacting the recommendations made by the high-level expert group. This initiative also responds to the Council’s call for a comprehensive framework for law enforcement access to the various databases in the area of justice and home affairs, with a view to greater simplification, consistency, effectiveness and attention to operational needs13. In order to reinforce the efforts to make the European Union a safer society, in full compliance with fundamental rights, the Commission announced, in the context of its 2018 Work Programme14, a proposal on the interoperability of information systems to be presented by the end of 2017.

Objectives

of the proposal

The general objectives of this initiative result from the Treaty-based goals of improving the management of the Schengen external borders and contributing to the internal security of the European Union. They also stem from policy decisions by the Commission and relevant (European) Council Conclusions. These objectives are further elaborated in the European Agenda on Migration and subsequent communications, including the Communication on preserving and strengthening Schengen,15 the European Agenda on Security16 and the Commission’s work and progress reports towards an effective and genuine Security Union.17

Whilst building in particular on the April 2016 Communication and the findings of the high-level expert group, the objectives of this proposal are intrinsically linked to the above.

The specific objectives of this proposal are to:

ensure that end-users, particularly border guards, law enforcement officers, immigration officials and judicial authorities have fast, seamless, systematic and controlled access to the information that they need to perform their tasks;

provide a solution to detect multiple identities linked to the same set of biometric data, with the dual purpose of ensuring the correct identification of bona fide persons and combating identity fraud;

facilitate identity checks of third-country nationals, on the territory of a Member State, by police authorities; and

facilitate and streamline access by law enforcement authorities to non-law enforcement information systems at EU level, where necessary for the prevention, investigation, detection or prosecution of serious crime and terrorism.

11

2.

12 13


3.

14 15 16 17


European Council conclusions, 22-23 June 2017.

Outcomes of the 3546th Council meeting on Justice and Home Affairs on 8 and 9 June 2017, 10136/17.

The Council’s Committee of Permanent Representatives (Coreper), upon giving the mandate to the Council

4.

Presidency to start interinstitutional negotiations on the EU Entry/Exit System on 2 March 2017, agreed a


draft Council statement calling on the Commission to propose a comprehensive framework for law

enforcement access to the various databases in the area of justice and home affairs, with a view to greater

simplification, consistency, effectiveness and attention to operational needs (Summary Record 7177/17,

21.3.2017).

COM(2017) 650 final.

COM(2017)570 final.

COM(2015)185 final.


5.

In addition to these primary operational objectives, this proposal will also contribute to


facilitating the technical and operational implementation by Member States of existing and future new information systems;

strengthening and streamlining the data security and data protection conditions that govern the respective systems; and

improving and harmonising data quality requirements of the respective systems.

Finally, this proposal includes provisions for the establishment and governance of the Universal Message Format (UMF) as an EU standard for the development of information systems in the area of justice and home affairs, and the establishment of a central repository for reporting and statistics.

Scope

of the proposal

Together with its sister proposal presented the same day, this interoperability proposal focuses on the EU information systems for security, border and migration management that are operated at the central level, three of them existing, one on the brink of development, and two others at the stage of proposals under discussion between c o- le g isl ators. Each system has its own objectives, purposes, legal bases, rules, user groups and institutional context.

The three existing centralised information systems so far are:

the Schengen Information System (SIS) with a broad spectrum of alerts on persons (refusals of entry or stay, EU arrest warrant, missing persons, judicial procedure assistance, discreet and specific checks) and objects (including lost, stolen and invalidated identity or travel documents);

the Eurodac system with fingerprint data of asylum applicants and th ir d - country nationals who have crossed the external borders irregularly or who are illegally staying in a Member State; and

Visa Information System (VIS)

with data on short-stay visas.

In addition to these existing systems, the Commission proposed in 2016-2017 three new centralised EU information systems:

the Entry/Exit System (EES), for which the legal basis has just been agreed, which will replace the current system of manual stamping of passports and will electronically register the name, type of travel document, biom etri cs and the date and place of entry and exit of thi rd - cou ntry nationals visiting the Schengen area for a short stay;

the proposed European Travel Information and Authorisation System (ETIAS), which would, once adopted, be a largely automated system that would gather and verify information submitted by visa-exempt third-country nationals ahead of their travel to the Schengen area; and

The Commission’s December 2016 draft Regulations on SIS propose to further extend this to include return


6.

the


8

the proposed European Criminal Record Information System for th ir d - country

nationals (ECRIS- T CN system), which would be an electronic system for exchanging information on previous convictions handed down agai nst third - country nationals by criminal courts in the EU.

7.

These six syste ms are complementary and ----- with the exception of the Schengen Information


System (SIS) ----- exclusively focused on third-country nationals. The systems support national

authorities in managing borders, migration, visa processing and asylum, and in fighting crime and terrorism. The latter applies in particular to the SIS, which is the most widely used law enforcement inform ation -sharing i nstrum ent today.

8.

In addition to these information systems, centrally managed at EU level, the scope of this


proposal also includes I nterpol’s Stolen and Lost Travel Documents (SLTD) database, which pursuant to the provisions of the Schengen Borders Code is systematically queried at the EU’s

9.

external borders, and Interpol's Travel Documents Associated with Notices (TDAWN)


database. It also covers Europol data, as far as this is relevant for the functioning of the

proposed ETIAS system and for assisting Member States when querying data on serious crime and terrorism.

National information systems and decentralised EU information systems are outside the scope of this initiative. Provided that the necessity will be demonstrated, decentralised systems such as those operated under the Prüm framework,19 the Passenger Name Record (PNR) Directive20 and the Advance Passenger Information Directive21 may at a later stage be linked up to one or more of the components proposed under this initiative.

To respect the distinction between the matters which constitute a development of the Schengen acquis regarding borders and visa on the one hand and other syste ms which concern the Schengen acquis on police cooperation or are not related to the Schengen acquis on the other, this proposal deals with access to the Visa Information System, the Schengen Information System as currently regulated by Regulation (EC) No 1987/2006, the Entry-Exit System and the European Travel information and Authorisation System.

The necessary technical components to achieve interoperability

In order to achieve the objectives of this proposal, four interoperability components need to be established:

European search portal — ESP

Shared biometric matching service ----- shared BMS

Common identity repository ----- CIR

Multiple-identity detector — MID

Each of these components is described in detail in the Commission Staff Worki ng Document on the impact assessment accompanying this proposal.

10.

19 20 21 22


eur-lex.europa.eu/legal-content/EN/TXT:32008D06 15. eur-lex.europa.eu/legal-content/EN/TXT:32016L06 81. Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data. Similarly as regards the customs systems, the Council in its June 2017 conclusions invited the Commission to undertake a feasibility study to further explore the technical, operational and legal aspects of interoperability of the security and border management systems with customs systems, and present its findings for discussion

The four components combined lead to the following interoperability solution:

11.

European Search Portal


The objectives and functioning of these four components

be summarised as follows:

The European search portal (ESP) is the component that would enable the simultaneous query of multiple systems (Central-SIS, Eurodac, VIS, the future EES, and the proposed ETIAS and ECRIS-TCN systems, as well as the relevant Interpol systems and Europol data) using identity data (both biographical and biometric). It would ensure that users of the EU information systems have fast, seamless, efficient, systematic and controlled access to all information that they need to perform their tasks.

A query through the European search portal would immediately, in a matter of seconds, return information from the various systems to which the user has legal access. Depending on the purpose of the query, and the corresponding access rights, the ESP would be provided with specific configurations.

The ESP does not process any new data, and it does not store any data; it would act as a single window or ‘message broker’ to query various central systems and retrieve the necessary information seamlessly, and would do so in full respect of the access control and data protection requirements of the underlying systems. The ESP would facilitate the correct and authorised use of each of the existing EU information systems, and would make it easier and cheaper for Member States to consult and use the systems, in line with the legal instruments that govern these systems.

The shared biometric matching service (shared BMS) would enable the querying and comparison of biometric data (fingerprints and facial images) from several central systems (in particular, SIS, Eurodac, VIS, the future EES and the proposed ECRIS-TCN system). The proposed ETIAS will not contain biometric data and would therefore not be linked to the shared BMS.

Where each existing central system (SIS, Eurodac, VIS) currently has a dedicated, proprietary search engine for biometric data23, a shared biometric matching service would provide a common platform where the data is queried and compared simultaneously. The

12.

These biometric search engines are technically referred to as automated fingerprint identification system



23

shared BMS would generate substantial benefits in terms of security, cost, maintenance and operation by relying on one unique technological component instead of five different ones. The biometric data (fingerprint and facial images) are exclusively retained by the underlying systems. The shared BMS would create and retain a mathematical representation of the biometric samples (a template) but would discard the actual data, which remains thus stored in one location, only once.

The shared BMS would be a key enabler to help detect connections between data sets and different identities assumed by the same person in different central systems. Without a shared BMS, none of the other three components will be able to function.

The common identity repository (CIR) would be the shared component for storing

biographical24 and biometric identity data of third-country nationals recorded in Eurodac, VIS, the future EES, the proposed ETIAS and the proposed ECRIS-TCN system. Each of these five central systems records or will record biographical data on specific persons for specific reasons. This would not change. The relevant identity data would be stored in the CIR but would continue to belong to the respective underlying systems that recorded this data.

The CIR would not contain SIS data. The complex technical architecture of SIS containing national copies, partial national copies and possible national biometric matching systems would make the CIR very complex to a degree where it may no longer be technically and financially feasible.

The key objective of the CIR is to facilitate the biographical identification of a third-country national. It would offer increased speed of operations, improved efficiency and economies of scale. The establishment of the CIR is necessary to enable effective identity checks of third-country nationals, including on the territory of a Member State. In addition, by adding a ‘hit-flag functionality’ to the CIR it would be possible to check the presence (or non-existence) of data in any of the systems covered by the CIR through a simple hit/no-hit notification. This way, the CIR would also help streamlining of access by law enforcement authorities to non-law enforcement information systems, while maintaining a high data protection safeguard (see the section on the two-step approach to law enforcement access, hereunder).

Out of the five systems to be covered by the CIR, the future EES, the proposed ETIAS and the proposed ECRIS-TCN system are new systems that still need to be developed. The current Eurodac does not have biographical data; this extension will be developed once the new legal base for Eurodac is adopted. The current VIS does contain biographical data, but the necessary interactions between VIS and the future EES will require an upgrading of the existing VIS. The creation of the CIR therefore would arrive at the right moment. It would not in any way involve duplicating existing data. Technically, the CIR would be developed on the basis of the EES/ETIAS platform.

The multiple-identity detector (MID) would check whether the queried identity data

exists in more than one of the systems connected to it. The MID covers the systems that store identity data in the CIR (Eurodac, VIS, the future EES, the proposed ETIAS and the proposed ECRIS-TCN system) as well as the SIS. The MID would enable the detection

24 Biographical data that can be found on the travel document includes; last name, first name, gender, date of

of multiple identities linked to the same set of biometric data, with the dual purpose of ensuring the correct identification of bona fide persons and combating identity fraud.

The MID would enable to establish that different names belong to the same identity. It is a necessary innovation to effectively address the fraudulent use of identities, which is a serious breach of security. The MID would only show those biographical identity records that have a link in different central systems. These links would be detected by using the shared biometric matching service on the basis of biometric data and would need to be confirmed or rejected by the authority that recorded the data in the information system that led to the creation of the link. To assist the authorised users of the MID in this task, the system would need to label the identified links in four categories:

13.

Yellow link - potentially differing biographical identities on the same person


White link - confirmation that the different biographical identities belong to the same bona fide person

Green link - confirmation that different bona fide persons happen to share the same biographic identity

Red link - suspicion that different biographical identities are unlawfully used by the same person.

This proposal describes the procedures that would be put in place to handle these different categories. The identity of affected bona fide persons should be disambiguated as quickly as possible, by turning the yellow link into a confirmed green or white link, so as to ensure that no unnecessary inconveniences will be faced. Where, on the other hand, the assessment leads to the confirmation of a red link, or a change from a yellow into a red link, appropriate action would need to be taken.

The two-step approach to law enforcement access as provided by the common

identity repository

Law enforcement is defined as a secondary or ancillary objective of Eurodac, VIS, the future EES and the proposed ETIAS. As a result, the possibility of accessing data stored in these systems for the purpose of law enforcement is restricted. Law enforcement authorities can only consult directly these non-law enforcement information systems for the purpose of prevention, investigation, detection or prosecution of terrorism and other serious criminal offences. Moreover, the respective systems are governed by different access conditions and safeguards and some of those current rules could hinder the speed of the legitimate use of the systems by these authorities. More generally, the principle of prior search limits the possibility of Member State authorities to consult systems for justified law enforcement purposes and could thereby result in missed opportunities to uncover necessary information.

In its April 2016 Communication, the Commission acknowledged the need to optimise the existing tools for law enforcement purposes, whilst respecting data protection requirements. This necessity was confirmed and reiterated by Member States and relevant agencies in the framework of the high-level expert group.


In light of the above, by creating the CIR with a so-called hit-flag functionality, this proposal introduces the possibility for accessing the EES, the VIS, the ETIAS and Eurodac using a two-step data consultation approach. This two-step approach would not change the fact that law enforcement is a strictly ancillary objective of these systems and therefore needs to follow strict rules for access.

As a first step, a law enforcement officer would launch a query on a specific person using the person's identity data, travel document or biometric data to check whether information on the searched person is stored in the CIR. Where such data is present, the officer will receive a reply indicating which EU information system(s) contains data on this person (the hit-flag). The officer would not have actual access to any data in any of the underlying systems.

As a second step, the officer may individually request access to each system that has been indicated as containing data, in order to obtain the complete file on the queried person, in line with the existing rules and procedures established by each system concerned. This second step access would remain subject to prior authorisation by a designated authority and would continue to require a specific user ID and logging.

This new approach would also bring added value to law enforcement authorities due to the existence of potential links in the MID. The MID would help the CIR identifying existing links, which makes the search even more accurate. The MID would be able to indicate whether the person is known under different identities in different information systems.

The two-step data consultation approach is particularly valuable in cases where the suspect, perpetrator or suspected victim of a terrorist offence or other serious criminal offence is unknown. Indeed, in those cases, the CIR would enable identifying the information system that knows the person in one single search. By doing so, the existing conditions of prior searches in national databases and of a prior search in the automated fingerprint identification system of other Member States under Decision 2008/615/JHA ('Prüm check') become redundant.

The new two-step consultation approach would only enter into force once the necessary interoperability components are fully operational.

Additional

elements of this proposal to support the interoperability components

In addition to the above components, this draft Regulation also includes the proposal to establish a central repository for reporting and statistics (CRRS). This repository is necessary to enable the creation and sharing of reports with (anonymous) statistical data for policy, operational and data quality purposes. The current practice of gathering statistical data only on the individual information systems is detrimental to data security and performance and it does not enable the correlating of data across systems.

The CRRS would provide a dedicated, separate repository for anonymous statistics extracted from SIS, VIS, Eurodac, the future EES, the proposed ETIAS, the proposed ECRIS-TCN system, the common identity repository, the multiple-identity detector and the shared biometric matching service. The repository would provide for the possibility of secured sharing of reports (as regulated by the respective legal instruments) to Member States, Commission (including Eurostat) and EU agencies.


Developing one central repository instead of separate repositories for each system would lead to a lower cost and less effort for its establishment, operations and maintenance. It would also bring a higher level of data security as data is stored and access control is managed in one repository.

This draft Regulation also proposes to establish the Universal Message Format (UMF) as the standard that would be used at EU level to orchestrate interactions between multiple systems in an interoperable way, including the systems developed and managed by eu-LISA. T he use of the standard by Europol and Interpol would also be encouraged.

The UMF standard introduces a common and unified technical language to describe and link data elements, in particular the elements relating to persons and (travel) documents. Using UMF when developing new information systems guarantees easier integration and interoperability with other systems, in particular for Member States needing to build interfaces to communicate with these new systems. In this respect, the compulsory use of UMF when developing new systems can be considered a necessary precondition for the introduction of the interoperability components proposed in this Regulation.

In order to ensure the complete rollout across the EU of the UMF standard, an appropriate governance structure is proposed. The Commission would be responsible for establishing and developing the UMF standard, in the framework of an examination procedure with the Member States. Schengen associated states EU agencies and international bodies participating in the UMF projects (such as eu-LISA, Europol and Interpol) will also be involved. The proposed governance structure is vital for the UMF in order to extend and expand the standard while guaranteeing maximum usability and applicability.

This draft Regulation furthermore introduces the concepts of automated data quality control mechanisms and common quality indicators, and the need for Member States to ensure the highest level of data quality when feeding and using the systems. If data is not of the highest quality, there can be consequences not just for not being able to identify wanted persons, but also by affecting the fundamental rights of innocent people. T o overcome problems that can arise from the input of data by human operators, automatic validation rules can prevent operators from making mistakes. The goal would be to automatically identify apparently incorrect or inconsistent data submissions so that the originating Member State is able to verify the data and carry out any necessary remedial actions. This would be supplemented by regular data quality reports to be produced by the eu-LISA.

Consequences for other legal inst ruments

Together with its sister proposal, this draft Regulation introduces innovations that will require amendments of other legal instruments:

Regulation (EU) No 2016/399 (the Schengen Borders Code)

Regulation (EU) 2017/2226 (the EES Regul atio n)

Regulation (EC) No 767/2008 (the VIS Regulation)

Council Decision 2004/512/EC (the VIS Decision)

Council Decision 2008/633/JHA (the VIS/law enforcement access Decision)

[the ETIAS Regulation]

[the Eurodac Regulation]

[the SIS Regulations]

[the ECRIS-TCN Regulation, including the corresponding provisions of Regulation (EU) 2016/1624 (the European Border and Coast Guard Regulation)]

[the eu-LISA Regulation]

This current proposal and its sister proposal include detailed provisions for the necessary changes to the legal instruments that are currently sta ble texts as adopted by the co-legislators: the Schengen Borders Code, the EES Regulation, the VIS Regulation, Council Decision 2008/633/JHA and Council Decision 2004/512/EC.

The other listed instruments (Regulations on ETIAS, Eurodac, SIS, ECRIS-TCN, eu-LISA) are currently under negotiation in the European Parliament and Council. For these instruments, it is therefore not possible to set out the necessary amendments at this stage. The Commission will present such amendments for each of these instruments within two weeks of a political agreement on the respective draft Regulations being reached.

Consistency with existing policy provisions in the policy area

This proposal comes within the framework of the broader process that was launched by the April 2016 Communication Stronger and smarter information systems for borders and security, and the subsequent work of the high-level expert group on information systems and interoperability. The aim is to pursue three objectives:

(a) strengthen and maximize the benefits of existing information systems;

(b) address information gaps by establishing new information systems;

(c) enhance

interoperability between these systems.

On the first objective, the Commission adopted proposals in December 2016 for the further reinforcement of the existing Schengen Information System (SIS)25. On Eurodac, following the Commission’s proposal of May 201626, negotiations on the revised legal basis were accelerated. A proposal for a new legal basis for the Visa Information System (VIS) is also under preparation, and will be submitted in the second quarter of 2018.

Regarding the second objective, negotiations on the Commission’s April 2016 proposal to establish an Entry/Exit System (EES)27 were concluded as early as July 2017, when the co-legislators reached a political agreement, confirmed by the European Parliament in October 2017 and formally adopted by the Council in November 2017. The legal base will enter into force in December 2017. Negotiations on the November 2016 proposal for the establishment of a European Travel Information and Authorisation System (ETIAS)28 have started and are expected to be finalised in the coming months. In June 2017, the Commission proposed a legal basis for addressing another information gap: the European Criminal Record

25 COM(2016) 883 final.

26 COM(2016) 272 final.

27 COM(2016) 194 final.

28

Information System for thi rd - country nationals (ECRIS-TCN system)29. Here again, the co-legislators have indicated that they aim for an early adoption of this legal basis.

This current proposal addresses the third objective identified in the April 201 6 Communication.

Consistency with other Union policies in the area of Justice and Home Affairs

This proposal together with its sister proposal delivers on, and is in line with, the European Agenda on Migration and subsequent communications, including the Communication on preserving and strengthening Schengen30, as well as the European Agenda on Security31 and

the Commission’s work and progress reports towards an effective and genuine Security

14.

Union . It is consistent with other Union policies, in particular as follows


Internal security: the European Agenda on Security states that common high standards of border management are essential to prevent cross-border crime and terrorism. T his proposal further contributes to achieving a high level of internal security by offering the means for authorities to have fast, seamless, systematic and controlled access to the information they require.

Asylum: the proposal includes Eurodac as one of the central EU systems to be covered by interoperability.

External border management and security: this proposal reinforces the SIS and VIS

systems, which contribute to the efficient control of the Union’s external borders, as

well as the future EES and the proposed ET IAS and ECRIS- T CN system.

2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

Legal basis

The main legal basis will be the following articles of the T reaty on the Functioning of the European Union: Artic le 16 i, Article 74, Article 77(2)(a) (b) (d) and (e) .

Under Article 16 i, the Union has the power to adopt measures relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies and by Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Under Article 74, the Council can adopt measures to ensure admini strativ e cooperation between departments of the Member States in the area of justice, liberty and security. Under Article 77 i, (a), (b), (d) and (e) respectively, the European Parliament and the Council can adopt measures concerning the common policy on visas and other short-stay residence permits, the checks to which persons crossing external borders are subject, any measure necessary for the gradual establishment of an integrated management system for external borders and the absence of any controls on persons, w hatever th ei r nationality, when crossing internal borders.

15.

29 30 31 32


COM(2017) 344 final. COM(2017)570 final. COM(2015)185 final.

Subsidiarity

Freedom of movement within the EU requires that the external borders of the Union are effectively managed to ensure security. Member States have therefore agreed to address these challenges collectively, especially by sharing information through centralised EU systems in the area of justice and home affairs. This is confirmed by the various conclusions that have been adopted by both the European Council and the Council, especially since 2015.

The absence of internal border controls requires sound management of the Schengen external borders, where each Member State or Schengen associated country has to control the external border on behalf of the other Schengen states. Consequently, no Member State alone is able to cope on its own with irregular migration and cross-border crime. Third-country nationals who enter the area without internal border controls are able to travel freely within it. In an area without internal borders, action against irregular immigration and international crime and terrorism, including through the detection of identity fraud, should be undertaken in common, and can only be successfully addressed at EU level.

Key common information systems at EU level are in place or in the process of being put in place. Enhanced interoperability among these information systems necessarily entails EU-level action. At the heart of the proposal is the improved efficiency and use of centralised systems managed by eu-LISA. By reason of the scale, effects and impact of the envisaged actions, the fundamental objectives can only be achieved efficiently and systematically at EU level.

Proportionality

As explained in full detail in the impact assessment accompanying this proposed Regulation, the policy choices made in this proposal are considered proportionate. They do not go beyond what it necessary to achieve the agreed objectives.

The European search portal (ESP) is a necessary tool to reinforce the authorised use of the existing and future EU information systems. The impact of the ESP in terms of data processing is very limited. It will not store any data, except information regarding the various user profiles of the ESP, and the data and information systems to which they have access, and keeping track of their use by means of logs. The role of the ESP as a message broker, an enabler and a facilitator, is proportionate, necessary and limited in terms of searches and access rights under the mandates of the legal bases dealing with information systems and the proposed Regulation on interoperability.

The shared biometric matching service (shared BMS) is necessary for the functioning of the ESP, the common identity repository and the multiple-identity detector and facilitates the use and maintenance of the existing and future relevant EU information systems. Its functionality enables the performing of searches on biometric data from various sources in an efficient, seamless and systematic way. The biometric data are stored and retained by the underlying systems. The shared BMS creates templates but will discard the actual images. The data is thus stored in one location, only once.

The common identity repository (CIR) is necessary in order to achieve the purpose of correct identification of a third-country national, e.g. during an identity check within the Schengen area. The CIR also supports the functioning of the multiple-identity detector and is therefore a necessary component to achieve the dual purpose of facilitating identity checks for bona fide travellers and combating identity fraud. Access to the CIR for this purpose is

limited to those users that need this information to carry out their tasks (which requires these checks to become a new ancillary purpose of Eurodac, VIS, the future EES, the proposed ETIAS and the proposed ECRIS-TCN system). The data processes are strictly limited to what is needed to achieve this goal, and adequate safeguards will be established to ensure access rights are respected and the data stored in the CIR is the minimum necessary. In order to ensure data minimisation and to avoid unjustified duplication of data, the CIR holds the required biographic data of each of its underlying systems — stored, added, modified and deleted in accordance with their respective legal basis — without copying it. Data retention terms are fully aligned with the data retention provisions of the underlying information systems providing the identity data.

The multiple-identity detector (MID) is necessary to provide a solution for the detection of multiple identities with the dual purpose of facilitating identity checks for bona fide travellers and combating identity fraud. The MID will contain the links between individuals present in more than one central information system, strictly limited to the data needed to verify that a person is recorded lawfully or unlawfully under different biographical identities in different systems but also to clarify that two persons having similar biographical data may not be the same person. Data processing through the MID and the shared BMS in order to link individual files across individual systems is kept to an absolute minimum. The MID will include safeguards against potential discrimination or unfavourable decisions for persons with multiple lawful identities.

Choice

of the instrument

A Regulation of the European Parliament and the Council is proposed. The proposed legislation addresses directly the operation of central EU information systems for borders and security, all of which have been, or are proposed to be, established under Regulations. Similarly, eu-LISA, which will be responsible for the design and development, and in due course technical management, of the components is also established under a Regulation. A Regulation is therefore the appropriate choice of instrument.

3. RESULTS OF STAKEHOLDER CONSULTATIONS AND IMPACT

ASSESSMENTS

Public

consultation

In preparation of this proposal the Commission launched in July 2017 a public consultation to collect the views of interested stakeholders on the subject of interoperability. The consultation received 18 responses from a variety of stakeholders, including Member State governments, private sector organisations, other organisations such as NGOs and think tanks, as well as private citizens . Overall, the responses were broadly in favour of the underlying principles of this interoperability proposal. T he vast majority of respondents agreed that the issues the consultation identified were the correct ones, and that the objectives that the interoperability package seeks to achieve are correct. In particular, respondents considered that the options outlined in the consultation paper would:

help staff on the ground access the information they need;

avoid duplication of data, reduce overlaps and highlight discrepancies in data;


33

identify people more reliably ----- including people with multiple identities ----- and

reduce identity fraud.

A clear majority of respondents supported each of the proposed options and considered them to be necessary to achieve the objectives of this initiative, underlining in their responses the need for strong and clear data protection measures, particularly in relation to access to the information stored in the systems and data retention, and the need for up-to-date, high-quality data in the systems and measures to ensure this.

All the points raised have been taken into account in the preparation of this proposal.

Eurobarometer survey

In June 2017, a Special Eurobarometer34 survey was conducted, sowing that the EU’s

strategy of sharing information at EU level to combat crime and terrorism has widespread public support: almost all respondents (92 %) agree that national authorities should share information with the authorities of other Member States to better fight crime and terrorism.

A clear majority (69 %) of respondents expressed the view that the police and other national law enforcement authorities should share information with other EU countries on a systematic basis. In all Member States, a majority of respondents think that information should be shared in e very case.

High-level expert group on information systems and interoperability

As already indicated in the introduction, this current proposal builds on the recommendations of the high-level expert group on information systems and interoperability . This group was established in June 2016 with the objective of addressing the legal, technical and operational challenges of available options to achieve interoperability between central EU systems for borders and security. The group took a broad and comprehensive perspective on the data management architecture for border management and law enforcement, taking into account also the relevant roles, responsibilities and systems for customs authorities.

The group comprised experts from Member States and Schengen associated countries, and from the EU agencies eu-LISA, Europol, the European Asylum Support Office, the European Border and Coast Guard Agency and the EU Agency for Fundamental Rights. The EU Counter-Terrorism Coordinator and the European Data Protection Supervisor also participated as full members of the expert group. In addition, representatives of the secretariat of the

European Parliament’s Committee on Civil Liberties, Justice and Home Affairs and of the

General Secretariat of the Council attended as observers.

The final report of the high-level expert group was published in May 2017 . It underlined the need to act to address the structural shortcomings identified in the April 2016

Communication. It set out a range of recommendations to strengthen and develop the EU’s

information systems and interoperability. It concluded that it is necessary and technically feasible to work towards the European search portal, the shared biom etric matching

34 The Report on Europeans’ attitudes towards security analyses the results of the Special Eurobarometer public opinion survey (464b) regarding citizens’ overall awareness, experiences and perceptions of security. This survey was carried out by TNS Political & Social network in the 28 Member States between 13 and 26 June 2017. Some 28 093 EU citizens from different social and demographic categories were interviewed.

35 Commission Decision of 17 June 2016 setting up the high-level expert group on information systems and interoperability — 2016/C 257/03.

36

service and the common identity repository as solutions for interoperability and that they can, in principle, both deliver operational gains and be established in compliance with data protection requirements. The group also recommended considering the additional option of a two-step approach towards law enforcement access, based on a hit-flagging functionality.

This draft Regulation also responds to the high-level experts group’s recommendations on

data quality, the Universal Message Format (UMF) and the establishment of a data warehouse (here presented as the central repository for reporting and statistics (CRRS)).

The fourth interoperability component proposed in this draft Regulation (the m ultipl e-ide nti ty detector) was not identified by the high-level expert group, but arose during the course of additional technical analysis and the proportionality assessment conducted by the Commission.

Technical studies

Three studies were commissioned to support the preparation of the proposal. Contracted by the Commission, Unisys delivered a report on a feasibility study for the European search portal. eu-LISA commissioned a technical report from Gartner (with Unisys) to support the development of the shared biom etric matching service. PWC delivered to the Commission a technical report on a common identity repository.

Im pact assessment

This proposal is supported by an impact assessment as presented in the accompanying Staff Working Docum ent SWD(2017) 473.

The Regulatory Scrutiny Board reviewed the draft impact assessment at its meeting of 6 December 2017 and delivered its opinion (positive with reservations) on 8 December indicating that the impact assessment be adjusted in order to integrate the Boards recommendations on specific aspects. These related firstly to additional measures under the preferred option streamlining end-users existing data access rights in EU information systems, and to illustrate associated safeguards for data protection and fundamental rights.

The second main consideration was to clarify the integration of the Schengen Information System under option 2, including effectiveness and costs to facilitate its comparison with the preferred option 3. The Commission updated its impact assessment to respond to these main considerations and to address a number of other com ments made by the Board.

The impact assessment evaluated if and how each of the identified objectives could be achieved by using one or more of the technical components identified by the high-level expert group and through subsequent analysis. Where necessary it also looked into sub-options necessary to meet these objectives, whilst respecting the data protection framework. The impact assessment concluded that:

To meet the objective of providing authorised users with fast, seamless, systematic and controlled access to relevant information systems, a European search portal (ESP) should be created, built on a shared biometric matching service (shared BMS) to address all databases.

To meet the objective of f aci litating identity checks of thi rd - c ountry nationals, on the territory of a Member State, by authorised officers, a common identity repository

(CIR) should be created, containing the minimum set of identification data, and built on the same shared BMS.

To meet the objective of detecting multiple identities linked to the same set of biometric data, with the dual purpose of facilitating identity checks for bona fide travellers and combating identity fraud, a m ultip le- ide ntity detector (MID) should be built, containing links between multiple identities across systems.

To meet the objective of facilitating and streamlining access by law enforcement authorities to non-law enforcement information systems, for the purpose of preventing, investigating, detecting or prosecuting serious crime and terrorism, a hit-

flag’ functionality should be included in the CIR.

Since all objectives must be met, the complete solution is the combination of ESP, CIR (with hit flagging) and MID, all relying on the shared BMS.

The major positive impact will be the improvement of border management and increased internal security within the European Union. The new components will streamline and expedite access by national authorities to the necessary information and identification of third-country nationals. They will enable authorities to make cross-links to already existing, necessary information on individuals during border checks, for visa or asylum applications, and for police work. This will enable access to information that can support reliable decisions being made, whether relating to investigations of serious crime and terrorism or decisions in the field of migration and asylum. Whilst not directly affecting EU nationals (the proposed measures are primarily focused on thi rd - country nationals whose data is recorded in an EU centralised information system), the proposals are expected to generate increased public trust by ensuring that their design and use increases the security of EU citizens.

The immediate financial and economic impacts of the proposal will be limited to the design, development and operation of the new facilities. The costs will fall to the EU budget and to Member State authorities operating the systems. The impact on tourism will be positive as the proposed measures will both improve the security of the European Union and should also be beneficial for a speedier border control. Similarly, the impact on airports, seaports and carriers is expected to be positive, in particular because of expedited border control checks.

Fundamental rights

The impact assessment looked in particular into the impacts of the proposed measures on fundamental rights and, in particular, to the right to data protection.

In accordance with the Charter of Fundamental Rights of the EU, to which EU institutions and Member States, when they implement EU law, are bound (Article 51 i of the Charter), the opportunities offered by interoperability as a measure to enhance security and the protection of the external border need to be balanced with the obligation to ensure that interferences with fundamental rights that may derive from the new interoperability environment are limited to what is strictly necessary to genuinely meet the objectives of general interest pursued, subject to the principle of proportionality (Article 52 i of the Charter).

The proposed interoperability solutions are complementary components to existing systems. As such, they would not alter the balance already ensured by each of the existing central systems as regards their positive impact on fundamental rights.

Nevertheless, interoperability does have the potential of having an additional, indirect impact on a number of fundamental rights. Indeed, the correct identification of a person has a positive impact on the right to respect for private life, and in particular the right to one’s identity (Article 7 of the Charter), as it can contribute to avoid identity confusions. On the other hand, conducting checks based on biometric data can be perceived as interfering with the person’s right to dignity (in particular, where it is perceived as humiliating) (Article 1). Yet in a survey37 by the EU Agency for Fundamental Rights, respondents were specifically asked whether they believed that giving their biometrics in the context of border control might be humiliating. The majority of respondents did not feel that it would.

The proposed interoperability components offer the opportunity to adopt targeted preventive measures to enhance security. As such, they can contribute to the protection of people’s right to life (Article 2 of the Charter), which also implies a positive obligation on authorities to take preventive operational measures to protect an individual whose life is at risk, if they know or ought to have known of the existence of an immediate risk38, as well as to uphold the prohibition of slavery and forced labour (Article 5).Through a reliable, more accessible and easier identification, interoperability can support the detection of missing children or children subject to people trafficking, and facilitate swift and targeted responses.

A reliable, more accessible and easier identification could also contribute to ensuring that the right to asylum (Article 18 of the Charter) and the prohibition of refoulement (Article 19 of the Charter) are effectively ensured. Interoperability could in fact prevent situations where asylum applicants are unlawfully apprehended, detained and made subject to undue expulsion. Furthermore, through interoperability, identity fraud will be more easily identified. It would also reduce the need to share data and information about asylum applicants with third countries (particularly the country of origin) for the purpose of establishing the person’s identity and obtaining travel documents, which could potentially endanger the person concerned.

Protection

of personal data

Given the personal data involved, interoperability will especially have an impact on the right to the protection of personal data. This right is established by Article 8 of the Charter and Article 16 of the Treaty on the Functioning of the European Union, and in Article 8 of the European Convention on Human Rights. As underlined by the Court of Justice of the EU39, the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society40. Data protection is closely linked to respect for private and family life protected by Article 7 of the Charter.

38

39

FRA survey in the framework of the eu-LISA pilot on smart borders — travellers’ views on and experiences of smart borders, Report by the EU Agency for Fundamental Rights: ec.europa.eu/dgs/home-affairs/what-we-do/policies.

European Court of Human Rights, Osman v United Kingdom, No. 87/1997/871/1083, 28 October 1998, para. 116.

Court of Justice of the EU, judgment of 9.11.2010, Joined Cases C-92/09 and C-93/09 Volker und Markus Schecke and Eifert [2010] ECR I-0000.

In line with Article 52 i of the Charter, limitations may be imposed on the exercise of the right to data protection as long as the limitations are provided for by law, respect the essence of the right and freedoms and, subject to the principle of proportionality, are necessary and genuinely meet objectives of general


37

40

According to the General Data Protection Regulation41, the free movement of data within the EU is not to be restricted for reasons of data protection. However, a series of principles must be met. Indeed, to be lawful, any limitation on the exercise of the fundamental rights protected by the Charter must comply with the following criteria, laid down in its

Artice 52 i:

it must be provided for by law;

it m ust respect the essence of the rights;

it must genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others;

it must be necessary; and

it must be proportional.

This current proposal embeds all these data protection rules, as set out in full detail in the impact assessment accompanying this proposed Regulation. The proposal is based on the principles of data protection by design and by default. It includes all appropriate provisions limiting data processing to what is necessary for the specific purpose and granting data access only to those entities that ‘need to know’. Data retention periods (where relevant) are appropriate and limited. Access to data is reserved exclusively for duly authorised staff of the Member State authorities or EU bodies that are competent for the specific purposes of each information system and limited to the extent that the data are required for the performance of tasks in accordance with these purposes.

4. BUDGETARY IMPLICATIONS

The budgetary implications are included in the attached financial statement. It covers the remaining period of the current multiannual financial framework (until 2020) and the seven years of the following period (2021-2027). The proposed budget for the years 2021 and beyond is included for illustrative purposes and does not prejudge the next multiannual financial framework.

The implementation of this proposal will require budgetary allocations for:

The development and integration by eu - LISA of the four interoperability components, and the central repository for reporting and statistics, and their subsequent maintenance and operations.

(2) The data migration to the shared biometric matching service (shared BMS) and the common identity repository (CIR). In the case of the shared BMS, the biometric templates of the corresponding data from the three systems that currently use biometrics (SIS, VIS and Eurodac) need to be recreated on the shared BMS. In the case of CIR, the personal data elements from VIS need to be migrated to the CIR, and the possible links found between identities in SIS, VIS and Eurodac need to be validated. T his last process, in particular, is resource intensive.

The update by eu - LISA of the national uniform interface (NUI) already included in the EES Regulation to become a generic component that allows the exchange of

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and

4

messages between Member States and the central system(s).

The integration of Member State national systems with the NUI that will convey the messages exchanged with CIR/ multiple-identity detector through the European search portal.

The training on the use of the interoperability components by end-users, including through the European Union Agency for Law Enforcement Training (CEPOL).

The interoperability components are built and maintained as a programme. While the European search portal (ESP) and the multiple-identity detector are entirely new components, along with the central repository for reporting and statistics (CRRS), the shared BMS and the CIR are shared components that combine existing data held (or to be held) in existing or new systems with their existing budgetary estimates.

The ESP will implement existing, known interfaces towards SIS, VIS and Eurodac and will in due course be extended towards new systems.

The ESP will be used by Member States and agencies using an interface based on Universal Message Format (UMF). This new interface will require developments, adaptations, integrations and testing by the Member States, eu-LISA, Europol and the European Border and Coast Guard Agency. The ESP would use the concepts of the national uniform interface (NUI) introduced for EES, which would lower the integration efforts.

The ESP will generate additional costs for Europol in order to make the QUEST interface available for use with basic protection level (BPL) data.

The basis of the shared BMS will de facto be established with the creation of the new EES as this constitutes by far the greatest volume of new biometric data. The required budget was reserved under the EES legal instrument. Adding further biometric data from VIS, SIS and Eurodac to the shared BMS constitutes an additional cost mainly linked to the migration of existing data. This is estimated at EUR 10 m for all three systems. Adding new biometric data from the proposed ECRIS-TCN system constitutes a limited additional cost that can be covered from the funds reserved under the proposed ECRIS-TCN legal instrument to establish an ECRIS-TCN automated fingerprint identification system.

The common identity repository will be established with the creation of the future EES and further extended when developing the proposed ETIAS. The storage and search engines for these data were included in the budget reserved under the future EES and the proposed ETIAS legal instruments. Adding new biographical data from both Eurodac and the proposed ECRIS-TCN system constitutes a minor additional cost that was already reserved under the Eurodac and the proposed ECRIS-TCN legal instruments.

The total budget required over nine years (2019-2027) amounts to EUR 424.7 million, covering the following items:

A budget of EUR 225 million for eu-LISA which covers the total cost for the

development of the programme delivering the five interoperability components (EUR 68.3 million), the maintenance cost from the moment components are delivered up until 2027 (EUR 56.1 million), a specific budget of EUR 25 million for the migration of data from existing systems to the shared BMS and the additional costs for the NUI update, network, training and meetings. A specific budget of EUR 18.7 million covers the cost of upgrading and operating ECRIS-TCN in high-

availability mode from 2022.

A budget of EUR 136.3 million for Member States to cover the changes to their national systems in order to use the interoperability components, the NUI delivered by eu-LISA and a budget for the training of the substantial end-user community.

A budget of EUR 48.9 million for Europol to cover the upgrade of Europol's IT systems to the volume of messages to be handled and the increased performance levels42. The interoperability components will be used by ETIAS in order to consult the Europol data.

A budget of EUR 4.8 million for the European Border and Coast Guard Agency for hosting a team of specialists who during one year will validate the links between identities at the moment the multiple-identity detector goes live.

A budget of EUR 2.0 million for European Union Agency for Law Enforcement Training (CEPOL) to cover the preparation and delivery of training to operational staff.

A provision of EUR 7.7 million for DG HOME in order to cover a limited increase of staff and related costs during the development period of the different components, as the Commission will also have to fulfil additional tasks during that period and takes the responsibility for the committee dealing with Universal Message Format.

The Internal Security Fund (ISF) Borders Regulation is the financial instrument where the budget for the implementation of the interoperability initiative has been included. It provides in Article 5(b) that EUR 791 million is to be implemented through a programme for developing IT systems based on existing and/or new IT systems, supporting the management of migration flows across the external borders subject to the adoption of the relevant Union legislative acts and under the conditions laid down in Article 15 i. Of this EUR 791 million, EUR 480.2 million is reserved for the development of the EES, EUR 210 million for ETIAS and EUR 67.9 million for the revision of SIS. The remainder (EUR 32.9 million) is to be reallocated using ISF-B mechanisms. The current proposal requires EUR 32.1 million for the current multiannual financial framework period (2019/20) which therefore fits with the remaining budget.

5. ADDITIONAL INFORMATION

Implementation plans and monitoring, evaluation and reporting arrangements

eu-LISA is responsible for the operational management of large-scale IT systems in the area of freedom, security and justice. As such, it is already entrusted with the operation and technical and operational improvements of existing systems, and the development of the future systems already envisaged. Under this proposed Regulation, it will define the design of the physical architecture of the interoperability components, develop and implement them, and ultimately host them. The respective components will be implemented incrementally, in conjunction with the development of the underlying systems.

42 The current information handling capacity of Europol is not compliant with the substantial volumes (average

The Commission will ensure that systems are in place to monitor the development and functioning of the four components (European search portal, shared biometric matching service, common identity repository, multiple-identity detector) and the central repository for reporting and statistics, and evaluate them against the main policy objectives. Four years after the functionalities are put in place and operating, and every four years thereafter, eu-LISA should submit to the European Parliament, the Council and the Commission a report on the technical functioning of the interoperability components. In addition, five years after the functionalities are put in place and operating, and every four years thereafter, the Commission should produce an overall evaluation of the components, including on the direct or indirect impact of the components and of its practical implementation on fundamental rights. It should examine results achieved against objectives and assess the continuing validity of the underlying rationale and any implications for future options. The Commission should submit the evaluation reports to the European Parliament and the Council.

Detailed explanation of the specific provisions of the proposal

Chapter I sets out the general provisions for this Regulation. It explains: the principles underlying the Regulation; the components established therein; the objectives that interoperability seeks to address; the scope of this Regulation; the definitions of the terms used in this Regulation; and the principle of non-discrimination regarding the processing of data under this Regulation.

Chapter II sets out the provisions for the European search portal (ESP). This chapter provides for the establishment of the ESP and its technical architecture, to be developed by eu-LISA. It specifies the aim of the ESP and identifies those who may use the ESP and how they are to use it in accordance with existing access rights for each of the central systems. There is a provision for eu-LISA to create user profiles for each category of user. This chapter sets out how the ESP will query central systems and provides for the content and format of replies to users. Chapter II also provides that eu-LISA will keep logs of all processing operations, and provides for the fall-back procedure in case the ESP would be unable to access one or more of the central systems.

Chapter III sets out the provisions for the shared biometric matching service (shared BMS). This chapter provides for the establishment of the shared BMS and its technical architecture, to be developed by eu-LISA. It specifies the aim of the shared BMS and sets out what data it stores. It explains the relationship between the shared BMS and the other components. Chapter III also provides that the shared BMS will not continue to store data once the data is no longer contained in the respective central system and provides that eu-LISA will keep logs of all processing operations.

Chapter IV sets out the provisions for the common identity repository (CIR). This chapter provides for the establishment of the CIR and its technical architecture, to be developed by eu-LISA. It sets out the aim of the CIR and clarifies which data will be stored, and how, including provisions to ensure the quality of the data stored. This chapter provides that the CIR will create individual files based on data held in the central systems, and that individual files are updated in line with changes in the individual central systems. Chapter IV also specifics how the CIR will operate in relation to the multiple-identity detector. This chapter identifies those who may have access to the CIR and how they may access the data in accordance with access rights, and more specific provisions depending on whether access is for identification purposes or, as a first step of the two-step approach, for accessing the EES, the VIS, the ETIAS and Eurodac via the CIR for law enforcement purposes. Chapter IV also provides that eu-LISA will keep logs of all processing operations concerning the CIR.

Chapter V sets out the provisions for the multiple-identity detector (MID). This chapter provides for the establishment of the MID and its technical architecture, to be developed by eu-LISA. It explains the aim of the MID and regulates the use of the MID in accordance with access rights to each of the central systems. Chapter V sets out when and how the MID will launch searches to detect multiple identities, and how results are delivered and to be followed up, including when necessary through manual verification. Chapter V sets out a classification of the types of link that can result from the search depending on whether the result shows a single identity, multiple identities or shared identity data. This chapter provides that the MID will store linked data held in the central systems while data remains in two or more individual central systems. Chapter V also provides that eu-LISA will keep logs of all processing operations concerning the MID.

Chapter VI makes provision for measures to support interoperability. It provides for improving data quality, establishing the Universal Message Format as the common standard for information exchange supporting interoperability, and creating a central repository for reporting and statistics.

Chapter VII relates to data protection. This chapter makes provisions ensuring that data processed under this Regulation is processed lawfully and appropriately, in line with the provisions of Regulation No 45/2001. It explains who the data processor will be for each of the interoperability measures proposed in this Regulation, sets out measures required from eu-LISA and Member State authorities to ensure the security of data processing, the confidentiality of data, the appropriate handling of security incidents and the appropriate monitoring of compliance with the measures in this Regulation. The chapter also contains provisions regarding the rights of data subjects, including the right to be informed that data regarding them has been stored and processed under this Regulation, and the right to access, correct and erase personal data that has been stored and processed under this Regulation. This chapter further sets out the principle that data processed under this Regulation must not be transferred or made available to any third country, international organisation or private party, with the exception of Interpol for some specific purposes, and data received from Europol via the European search portal where the rules of Regulation 2016/794 on subsequent data processing apply. Lastly, the chapter sets out the provisions relating to supervision and audit in relation to data protection.

Chapter VIII sets out the responsibilities eu-LISA before and after the entry into operations of the measures in this proposal, and for Member States, Europol and the ETIAS central unit.

Chapter IX concerns amendments to other Union instruments. This chapter introduces the changes to other legal instruments that are necessary for the full implementation of this interoperability proposal. This proposal includes detailed provisions for the necessary changes to the legal instruments that are currently stable texts as adopted by the co-legislators: the Schengen Borders Code, the EES Regulation, the VIS Regulation (EC), the Council Decision 2004/512/EC (the VIS Decision) and the Council Decision 2008/633/JHA (the VIS/law enforcement access Decision).

Chapter X sets out details relating to: statistical and reporting requirements relating to data processed under this Regulation; transitional measures that will be required; arrangements relating to costs arising from this Regulation; requirements relating to notifications; the process for the start of operations of measures proposed in this Regulation; governance arrangements including the formation of a committee and an advisory group, eu-LISA's responsibility in relation to training, and a practical handbook to support implementation and management of the interoperability components; procedures relating to monitoring and

evaluation of the measures proposed in this Regulation; and provision for the entry into force of this Regulation.