Explanatory Memorandum to COM(2016)882 - Establishment, operation and use of the Schengen Information System (SIS) in the field of border checks

Please note

This page contains a limited version of this dossier in the EU Monitor.



1. CONTEXT OF THE PROPOSAL

Reasons for and objectives of the proposal

Over the course of the last two years, the European Union has been working on simultaneously addressing the separate challenges of migration management, integrated border management of the EU's external borders and the fight against terrorism and cross-border crime. Effective information exchange amongst Member States, and between Member States and the relevant EU agencies, is essential to providing a robust response to those challenges and to building an effective and genuine Security Union.

The Schengen Information System (SIS) is the most successful tool for the effective cooperation of immigration, police, customs and judicial authorities in the EU and the Schengen associated countries. Competent authorities in the Member States such as police, border guards and customs officers need to have access to high quality information about the persons or objects they are checking, with clear instructions about what needs to be done in each case. This large-scale information system is at the very heart of Schengen cooperation and plays a crucial role in facilitating the free movement of people within the Schengen area. It enables competent authorities to enter and consult data on wanted persons, persons who may not have the right to enter or stay in the EU, missing persons – in particular children – and objects that may have been stolen, misappropriated or lost. SIS not only contains information about a particular person or object but also clear instructions for the competent authorities on what to do with that person or object once found.

In 2016, the Commission carried out a comprehensive evaluation 1 of SIS, three years after the entry into operation of its second generation. This evaluation showed that SIS has been a genuine operational success. In 2015, national competent authorities checked persons and objects against data held in SIS on nearly 2.9 billion occasions and exchanged over 1.8 million pieces of supplementary information. Nonetheless, as announced in the Commission Work Programme 2017, building on this positive experience, the effectiveness and efficiency of the system should be further strengthened. To this end, the Commission is presenting a first set of three proposals to improve and extend the use of SIS as result of the evaluation while continuing its work to make existing and future law enforcement and border management systems more interoperable, following up on the ongoing work of the High Level Expert Group on Information Systems and Interoperability.

These proposals cover the use of the system (a) for border management, (b) for police cooperation and judicial cooperation in criminal matters, and (c) for the return of illegally staying third country nationals. The first two proposals together form the legal bases for the establishment, operation and use of the SIS. The proposal for the use of SIS for the return of illegally staying third country nationals supplements the proposal for border management and complements the provisions contained therein. It establishes a new alert category and contributes to the implementation and monitoring of Directive 2008/115/EC 2 .

Due to the variable geometry in Member States' participation in EU policies in the area of freedom, security and justice, it is necessary to adopt three separate legal instruments which will nonetheless work seamlessly together to enable the comprehensive operation and use of the system.

In parallel, with a view to enhancing and improving information management at EU level, in April 2016, the Commission began a process of reflection on 'Stronger and Smarter Information Systems for Borders and Security'. 3 The overarching objective is to ensure that competent authorities systematically have the necessary information from different information systems at their disposal. In order to achieve this objective, the Commission has been reviewing the existing information architecture to identify information gaps and blind spots that result from shortcomings in the functionalities of existing systems, as well as from fragmentation in the EU's overall architecture of data management. The Commission set up a High Level Expert Group on Information Systems and Interoperability to support this work, whose interim findings have also informed this first set of proposals as regards issues of data quality. 4 President Juncker's State of the Union address in September 2016 also referred to the importance of overcoming the current shortcomings in information management and of improving the interoperability and interconnection between existing information systems.

Following the findings of the High Level Expert Group on Information Systems and Interoperability, which will be presented in the first half of 2017, the Commission will consider a second set of proposals to further improve interoperability of SIS with other IT systems in mid-2017. The review of Regulation (EU) No 1077/2011 5 concerning the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA) is an equally important element of this work and is likely to be the subject of separate Commission proposals also in 2017. Investing in swift, effective and qualitative information exchange and information management and ensuring the interoperability of EU databases and information systems is an important aspect of addressing current security challenges.

The current legal framework of the second generation of SIS – concerning its use for the purposes of border checks of third-country nationals is based upon a former first pillar instrument, namely Regulation (EC) No 1987/2006 6 . This proposal replaces 7 the current legal instrument in order to:

• make it compulsory for Member States to enter an alert in SIS in all cases where an entry ban has been issued to an illegally staying third country national in accordance with provisions respecting Directive 2008/115/EC;

• harmonise national procedures for the use of SIS with regard of the consultation procedure to avoid that a third-country national who is subject to an entry ban, holds a valid residence permit issued by a Member State;

• introduce technical changes to improve security and help reduce administrative burdens;

• address the complete end-to-end use of SIS, covering not only the central and national systems, but also the needs of the end-user by ensuring that end-users receive all necessary data to perform their tasks and they comply with all security rules when they process SIS data.

The proposals develop and improve the existing system, rather than establishing a new one. The revision of the SIS will support and strengthen the European Union actions under the European Agendas of Migration and Security, and implements:

consolidation of the results of the work on the implementation of SIS carried out in the last three years entailing technical amendments to the Central SIS in order to extend some of the existing alert categories and provide new functionalities;

recommendations for technical and procedural changes resulting from a comprehensive evaluation of the SIS 8 ;

requests from SIS end-users for technical improvements; and

the interim findings of the High Level Expert Group on Information Systems and Interoperability 9 as regards data quality.

In light of the fact that this proposal is intrinsically linked to the Commission proposal for a Regulation on the establishment, operation and use of the SIS in the field of police cooperation and judicial cooperation in criminal matters, a number of provisions are common to both texts. These include measures covering the end-to-end use of SIS, including not only the operation of the central and national systems, but also end-user needs; strengthened measures for business continuity; measures addressing data quality, data protection and data security, and provisions concerning monitoring, evaluation and reporting arrangements. Both proposals also extend the use of biometric information. 10

With the escalation of the migration and refugee crisis in 2015, the need to take effective steps to tackle irregular migration rose considerably. In its EU Action plan on return 11 , the Commission announced that it would propose to make it compulsory for Member States to introduce all entry bans in SIS to help prevent the re-entry into the Schengen area of third country nationals who are not allowed to enter and stay on the territory of the Member States. Entry bans issued in accordance with provisions respecting Directive 2008/115/EC have a Schengen-wide effect; hence they can be enforced at the external borders also by authorities of a Member State other than the one that issued the ban. The existing Regulation (EC) No 1987/2006 only allows but does not require Member States to introduce alerts for refusal of entry and stay on the basis of entry bans in SIS. A greater level of effectiveness and harmonisation may be achieved by making it mandatory to enter all entry bans in the SIS.

Consistency with existing policy provisions in the policy area as well as with existing and future legal instruments

This proposal is fully consistent and aligned with the provisions of Directive 2008/115/EC on the issuance and enforcement of entry bans. It therefore complements the existing provisions on entry bans and contributes to the effective enforcement of these bans at the external border, facilitating the application of the obligations defined by the Return Directive and successfully preventing the re-entry of third country nationals concerned in the Schengen area.

Consistency with other Union policies

This proposal is closely linked with and complements other Union policies, namely:

Internal security in relation to the role of SIS for preventing the entry of third-country nationals posing a security threat.

Data protection insofar as this proposal ensures the protection of fundamental rights of individuals whose personal data is processed in SIS.

This proposal is also closely linked with and complements existing Union legislation, namely:

External border management insofar as this proposal assists Member States in controlling their portion of the EU's external borders and in strengthening the effectiveness of the EU system of external border controls.

An effective EU returns policy contributing to and enhancing the EU system to detect and prevent the re-entry of third-country nationals following their return. This proposal would help reducing incentives to irregular migration to the EU, one of the main objectives of the European Agenda on Migration 12 .

European Border and Coast Guard as regards (i) the possibility for the Agency staff conducting risk analyses and (ii) the access to SIS of the ETIAS Central Unit within the Agency for the purposes of the proposed European Travel Information and Authorisation System (ETIAS) 13 , as well as (iii) for providing a technical interface for SIS access to European Border and Coast Guard Teams, teams of staff involved in return-related tasks and members of the migration management support teams to, within their mandate, have the right to access and search data entered in SIS.

Europol - broader rights to access and search the SIS data, within its mandate, is proposed.

1.

This proposal is also closely linked with and complements future Union legislation, namely


Entry/Exit System which proposed a combination of fingerprint and facial image as biometric identifiers for the operation of the Entry/Exit System (EES); an approach that this proposal seeks to reflect.

ETIAS which proposed a thorough security assessment, including a verification in SIS, of visa-exempted third country nationals who intend to travel in the EU.

2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

Legal basis

The proposal uses Articles 77(2)(b) and (d) as well as 79(2)(c) of the Treaty on the Functioning of the European Union as the legal bases for provisions in the field of integrated border management and illegal immigration.

Variable geometry

This proposal builds upon the provisions of the Schengen acquis related to border checks. Therefore the following consequences in relation to the various protocols and agreements with associated countries have to be considered:

Denmark: According to Article 4 of Protocol 22 on the position of Denmark annexed to the Treaties, Denmark shall decide, within a period of six months after the Council has decided on this Regulation, whether it will implement this proposal, which builds upon the Schengen acquis, in its national law.

United Kingdom and Ireland: In accordance with Articles 4 and 5 of the Protocol integrating the Schengen acquis into the framework of the European Union and Council Decision 2000/365/EC of 29 May 2000 concerning the request of the United Kingdom of Great Britain and Northern Ireland, and Council Decision 2002/192/EC of 28 February 2002 concerning Ireland's request to take part in some of the provisions of the Schengen acquis, the United Kingdom and Ireland do not take part in Regulation (EU) 2016/399 (Schengen Borders Code) nor in any other of the legal instruments which are commonly known as the 'Schengen acquis', viz. the legal instruments organising and supporting the abolition of controls at internal borders and the flanking measures regarding the controls at external borders. This Regulation constitutes a development of this acquis, and therefore, the United Kingdom and Ireland are not taking part in the adoption of this Regulation and are not bound by it or subject to its application.

Bulgaria and Romania: This Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis, within the meaning of Article 4(2) of the 2005 Act of Accession. This Regulation has to be read in conjunction with Council Decision 2010/365/EU of 29 June 2010 14 which rendered applicable, subject to some restrictions, the provisions of the Schengen acquis related to the Schengen Information System in Bulgaria and Romania.

Cyprus and Croatia: This Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within, respectively, the meaning of Article 3(2) of the 2003 Act of Accession and Article 4(2) of the 2011 Act of Accession.

Associated Countries: On the basis of the respective agreements associating those countries with the implementation, application and development of the Schengen acquis, Iceland, Norway, Switzerland and Liechtenstein are to be bound by the Regulation proposed.

Subsidiarity

This proposal will develop and build upon the existing SIS, which has been operational since 1995. The original intergovernmental framework was replaced by Union instruments on 9 April 2013 (Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA). A full subsidiarity analysis has been carried out in previous occasions; this initiative aims at further refining the existing provisions, addressing identified gaps and improving operational procedures.

This considerable level of information exchange between Member States cannot be achieved via decentralised solutions. By reason of the scale, effects and impacts of the action, this proposal can be better achieved at Union level.

The objectives of this proposal encompass, inter alia, technical improvements to enhance the efficiency of SIS, as well as efforts to harmonise the use of the system across all participating Member States. Due to the transnational nature of these aims and of the challenges in ensuring effective information exchange to counter ever diversifying threats, the EU is well placed to propose solutions to these issues, which cannot be sufficiently achieved by the Member States alone.

If existing limitations to SIS are not addressed, there is a risk that numerous opportunities for maximised efficiency and EU added value are missed and that there are blind spots impeding the work of competent authorities. As an example, the lack of harmonised rules on the deletion of redundant alerts within the system can lead to the hindrance of free movement of persons as a fundamental principle of the Union.

Proportionality

Article 5 of the Treaty on the European Union states that action by the Union shall not go beyond what is necessary to achieve the objectives set out in the Treaty. The form chosen for this EU action must enable the proposal to achieve its objective and be implemented as effectively as possible. The proposed initiative constitutes a revision of SIS in relation to border checks.

The proposal is driven by the privacy by design principles. In terms of the right to protection of personal data, this proposal is proportionate as it provides for specific alert deletion rules and does not require the collection and storage of data for longer than is absolutely necessary to allow the system to function and meet its objectives. SIS alerts contain only the data that is required to identify and locate a person or an object and to enable appropriate operational action to be taken. All other additional details are provided via the SIRENE Bureaux enabling the exchange of supplementary information.

In addition, the proposal provides for the implementation of all necessary safeguards and mechanisms required for the effective protection of the fundamental rights of the data subjects; particularly the protection of their private life and personal data. It also includes provisions designed specifically to strengthen the security of individuals' personal data held in SIS.

No further processes or harmonisation will be necessary at EU level to make the system work. The envisaged measure is proportionate in that it does not go beyond what is necessary in terms of action at EU level to meet the defined objectives.

Choice of the instrument

The proposed revision will also take the form of a Regulation and will replace Regulation (EC) No 1987/2006. This approach has also been followed in relation to Council Decision 2007/533/JHA and, as both instruments are intrinsically linked, it has to be applied in relation to Regulation (EC) No 1987/2006 as well. Decision 2007/533/JHA was adopted as a so-called third pillar instrument under the former Treaty on the European Union. Such third pillar instruments were adopted by the Council without the European Parliament as co-legislator. The legal basis of this proposal is in the Treaty on the Functioning of the European Union (TFEU) since the pillar structure ceased to exist with the entry into force of the Lisbon Treaty on 1 December 2009. The legal basis commands the use of the ordinary legislative procedure. The form of a Regulation (of the European Parliament and of the Council) has to be chosen because the provisions are to be binding and directly applicable in all Member States.

The proposal will build on and enhance an existing centralised system through which Member States cooperate with each other, something which requires a common architecture and binding operating rules. Moreover, it lays down mandatory rules on access to the system including for the purpose of law enforcement which are uniform for all Member States as well as the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice 15 (eu-LISA). Since 9 May 2013, eu-LISA is responsible for the operational management Central SIS, which consists of all tasks necessary to ensure the full operation of Central SIS 24 hours a day, 7 days a week. This proposal builds on the responsibilities of eu-LISA in relation to SIS.

Furthermore, the proposal provides for directly applicable rules enabling data subjects' access to their own data and remedies without requiring further implementing measures in this respect.

2.

As a consequence, only a Regulation can be chosen as a legal instrument.


3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

Ex-post evaluations/fitness checks of existing legislation

In accordance with the Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA 16 , three years after its entry into operation, the Commission carried out an overall evaluation of the central SIS II system as well as of the bilateral and multilateral exchange of supplementary information between Member States.

The evaluation specifically targeted the review of the application of Article 24 of Regulation (EC) No 1987/2006 with the purpose of making necessary proposals to modify the provisions of this Article to achieve a greater level of harmonisation of the criteria for entering alerts.

The results of the evaluation highlighted the need for changes to the SIS legal basis in order to provide a better response to new security and migration challenges. This includes for example a proposal for the mandatory entry of entry bans into SIS to better enforce them, the mandatory consultation between Member States to avoid the co-existence of an entry ban and a residence permit, the option to identify and locate individuals on the basis of their fingerprints through the use of a new automated fingerprint identification system, and expanding the biometric identifiers in the system.

The evaluation results also showed the need for legal amendments in order to improve the technical functioning of the system and to streamline national processes. These measures will enhance the efficiency and effectiveness of SIS by facilitating its use and reducing unnecessary burden. Further measures are designed to enhance the data quality and transparency of the system by more clearly describing the specific reporting tasks of member States and eu-LISA.

The results of the comprehensive evaluation (the evaluation report and the related Staff Working Document were adopted on 21 December 2016 17 ) have formed the basis of the measures contained within this proposal.

Furthermore, in accordance with Article 19 of the Return Directive 2008/115/EC, the Commission published a Communication on EU Return Policy in 2014 18 , which reports on the application of that Directive. It concluded that the potential of SIS in the field of return policy should be further enhanced; it indicates that the review of SIS II is an opportunity to improve consistency between the return policy and SIS II, and it suggests introducing an obligation on Member States to enter a refusal of entry alert in SIS II for entry bans issued under the Return Directive.

Stakeholder consultations

During the Commission's evaluation of SIS, feedback and suggestions were sought from relevant stakeholders, including delegates to the SISVIS Committee under the procedure established in Article 51 of Regulation (EC) No 1987/2006. This Committee includes the Member States’ representatives on both operational SIRENE matters (cross-border cooperation in relation to SIS) and technical matters in the development and maintenance of SIS and the related SIRENE application.

Delegates responded to detailed questionnaires as part of the evaluation process. Where further clarification was necessary or the subject needed to be further developed this was achieved through email exchange or targeted interview.

This iterative process allowed issues to be raised in a comprehensive and transparent way. Throughout 2015 and 2016, delegates to the SISVIS Committee discussed these issues in dedicated meetings and workshops.

The Commission also consulted specifically with Member State national data protection authorities and members of the SIS II Supervision Coordination Group in the field of data protection. Member States shared their experiences on subject access requests and the work of national data protection authorities by responding to a dedicated questionnaire. The responses to this questionnaire from June 2015 have informed the development of this proposal.

Internally, the Commission set up an Inter-service Steering Group including the Secretariat-General and the Directorates-General for Migration and Home Affairs, Justice and Consumers, Human Resources and Security, and Informatics. This steering group monitored the evaluation process and provided guidance as needed.

The evaluation's findings also took into account evidence collected during on-site evaluation visits to Member States, examining in detail how SIS is being used in practice. This includes discussions and interviews with practitioners, SIRENE Bureau staff and national competent authorities.

Feedback and suggestions of Member States' competent return authorities, notably on the consequences of a possible obligation to introduce alerts in SIS for all entry bans issued in accordance with Directive 2008/115/EC, were also sought in the context of the Commission's Contact Group Return Directive, during its meetings on 16 November 2015, 18 March and 20 June 2016.

In light of this feedback, this proposal makes provision for measures to improve the technical and operational efficiency and effectiveness of the system.

Collection and use of expertise

In addition to the stakeholder consultations, the Commission also sought external expertise via four studies, the findings of which have been incorporated in the developments of this proposal:

• SIS Technical Assessment (Kurt Salmon) 19

This assessment identified the key issues in the functioning of SIS and future needs that should be addressed, primarily identifying concerns with regards to maximising business continuity and ensuring that the overall architecture can adapt to increasing capacity requirements.

• ICT Impact Assessment of Possible Improvements to the SIS II Architecture (Kurt Salmon) 20

This study assessed the current cost of operating the SIS at national level and to evaluated two possible technical scenarios for the improvement of the system. Both scenarios include a set of technical proposals focusing on improvements to the central system and overall architecture.

• "ICT Impact Assessment of the technical improvements to the SIS II architecture – Final Report",10 November 2016, (Wavestone) 21

This study assessed the cost impacts on Member States of the implementation of a national copy by analysing three scenarios (a fully centralised system, a standardised N.SIS implementation developed and provided by eu-LISA to Member States and a distinct N.SIS implementation with common technical standards).

• Study on the feasibility and implications of setting up within the framework of the Schengen Information System an EU-wide system for exchanging data on and monitoring compliance with return decisions (PwC) 22

This study assesses the feasibility and the technical and operational implications of the proposed changes to the SIS with the purpose of enhancing its use for the return of irregular migrants and for preventing their re-entry.

Impact assessment

The Commission did not carry out an impact assessment.

The three independent assessments mentioned above formed the basis of consideration for the impacts of changes to the system from a technical perspective. In addition, the Commission has concluded two reviews of the SIRENE Manual since 2013, i.e. since SIS II entered into operation on 9 April 2013 and Decision 2007/533/JHA became applicable. This includes a mid-term review assessment which resulted in the launch of a new SIRENE Manual 23 on 29 January 2015. The Commission also adopted a Catalogue of Best Practices and Recommendations 24 . Moreover, eu-LISA and the Member States carry out regular, iterative technical improvements to the system. It is considered that these options have now been exhausted, requiring more wholesale amendment to the legal basis. Clarity in areas such as application of end-user systems as well as detailed rules on alert deletion cannot be achieved through improved implementation and enforcement alone.

Furthermore, the Commission has carried out a comprehensive evaluation of SIS as it was required by Articles 24 (5), 43 i and 50 (5) of Regulation (EC) No 1987/2006 and Art. 59 i and 66(5) of Decision 2007/533/JHA and published an accompanying Staff Working Document. The results of the comprehensive evaluation (the evaluation report and the related Staff Working Document were adopted on 21 December 2016) have formed the basis of the measures contained within this proposal.


The Schengen evaluation mechanism, laid down in Regulation (EU) No. 1053/2013 25 allows the periodic legal and operational assessment of the functioning of SIS in the Member States. The evaluations are jointly carried out by the Commission and Member States. Through this mechanism, the Council makes recommendations to individual Member States, based on the evaluations carried out as part of multi-annual and annual programmes. As a result of their individual nature, these recommendations cannot replace legally binding rules which are applicable at the same time to all Member States using the SIS.

The SISVIS Committee regularly discusses practical operational and technical issues. Although these meetings are instrumental in the cooperation between the Commission and the Member States, the outcome of these discussions (absent legislative changes) cannot remedy issues emerging due to diverging national practices, for example.

The changes proposed in this Regulation do not present a significant economic or environmental impact. However, these changes are expected to have a significantly positive social impact, as they provide for increased security by allowing for better identification of persons using false identities, criminals whose identity remains unknown after having committed a serious crime as well irregular migrants taking advantage of the area without internal border controls. The impact of these changes on fundamental rights and data protection has been considered and set out in more detail in the next section ("Fundamental rights").

The proposal has been drawn up making use of the substantial body of evidence collected to inform the overall evaluation of the second generation of SIS, which explored the functioning of the system and possible areas for improvement. In addition, a cost impact assessment study was carried out, to ensure that the national architecture chosen was the most appropriate and proportionate.

Fundamental rights and data protection

This proposal develops and improves an existing system, rather than establishing a new one, and hence builds upon. important and effective safeguards that have already been put in place. Nevertheless, as the system continues to process personal data, and will process further categories of sensitive biometric data, there are potential impacts on an individual's fundamental rights. These have been thoroughly considered, and additional safeguards have been put in place to limit the collection and further processing of data to what is strictly necessary and operationally required, and restricting access to that data to those who have an operational need to process it. Clear data retention timeframes have been set out in this proposal, and there is explicit recognition of and provision for individuals' rights to access and rectify data relating to them and to request erasure in line with their fundamental rights (see section on data protection and security).

In addition, the proposal strengthens measures to protect fundamental rights, as it sets out in legislation the requirements for an alert to be deleted and introduces a proportionality assessment if an alert is being extended. The proposal defines extensive and robust safeguards for the use of biometric identifiers to avoid innocent persons being inconvenienced.

The proposal also requires the end-to-end security of the system, ensuring greater protection for the data stored within it. With the introduction of a clear incident management procedure, as well as improved business continuity for the SIS, this proposal fully complies with the Charter of Fundamental Rights of the European Union 26 not only as regards the right to the protection of personal data. The development and continued effectiveness of SIS will contribute to the security of persons within society.

The proposal envisages significant changes concerning biometric identifiers. In addition to fingerprints, palm prints should also be collected and stored if the legal requirements are met. Fingerprint logs are attached to alphanumeric SIS alerts as provided for in Article 24. It should be possible in the future to search these dactylographic data (fingerprints and palm prints) with fingerprints found at a scene of crime provided that the offence qualifies as serious crime or terrorist offence and that it can be to a high degree of probability that they belong to the perpetrator. In case of uncertainty concerning a person's identity based upon his documents, the competent authorities should carry out a fingerprint against the fingerprints stored in the SIS database.

The proposal requires the collection and storage of additional data (such as details of the personal identification documents) that facilitate the work of the officers on the ground to establish the identity of a person.

The proposal guarantees the data subject's right to effective remedies available to challenge any decisions, which shall in any case include an effective remedy before a court or tribunal in line with Article 47 of the Charter of Fundamental Rights.

4. BUDGETARY IMPLICATIONS

SIS constitutes one single information system. Consequently, the expenditures foreseen in two of the proposals (the current one and the Proposal for a Regulation on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters) should not be considered as two separate amounts but as a single one. The budgetary implications of the changes required for the implementation of both proposals are included in one legislative financial statement.

Due to the complementary nature of the third proposal (concerning the return of illegally staying third country nationals) the budgetary implications are dealt with separately and in an independent financial statement addressing only the establishment of this specific alert category.

On the basis of an assessment of the various aspects of the work required in relation to the network, the Central SIS by eu-LISA and the national developments in the Member States, the two proposals for Regulations will require a global amount of EUR 64.3 million for the period 2018-2020.

This covers an increase of the TESTA-NG bandwidth due to the fact that in accordance with the two proposals, the network will transmit fingerprint files and facial images requiring higher throughput and capacity (EUR 9.9 million). It also covers eu-LISA’s costs in relation to staff and operational expenditure (EUR 17.6 million). eu-LISA informed the Commission that the recruitment of 3 new contract agents is planned to take place in January 2018 to start the development phase in due time to ensure entry into operations of the updated functionalities of SIS in 2020. The present proposal entails technical amendments to the Central SIS in order to extend some of the existing alert categories and provide new functionalities. The financial statement attached to this proposal reflects these changes.

Furthermore, the Commission carried out a cost impact assessment study to assess the costs of the national developments necessitated by this proposal. 27 The estimated cost is EUR 36.8 million which should be distributed via a lump sum to the Member States. Hence, each Member State will receive the amount of EUR 1.2 million to upgrade its national system in accordance with the requirements set out in this proposal, including for setting up a partial national copy where this is not yet the case or for a back-up system.

A re-programming of the remainder of the Smart Borders envelope of the Internal Security Fund is planned in order to carry out the upgrades and implement the functionalities foreseen in the two proposals. The ISF Borders Regulation 28 is the financial instrument where the budget for the implementation of the Smart Borders package has been included. Article 5 of the Regulation provides that EUR 791 million shall be implemented through a programme for setting up IT systems supporting the management of migration flows across the external border under the conditions laid down in Article 15. Out of the above-mentioned EUR 791 million, EUR 480 million is reserved for the development of the Entry-Exit System and EUR 210 million for the development of the European Travel Information and Authorisation System (ETIAS). The remainder will be partly used to cover the costs of the changes foreseen in the two proposals concerning SIS.

5. OTHER ELEMENTS

Implementation plans and monitoring, evaluation and reporting arrangements

The Commission, Member States and eu-LISAwill regularly review and monitor the use of SIS, to ensure that it continues to function effectively and efficiently. The Commission will be assisted by the SISVIS Committee to implement technical and operational measures as described in the proposal.

In addition, this proposed Regulation includes provision in Article 54 i and (8) for a formal, regular review and evaluation process.

Every two years, eu-LISA is required to report to the European Parliament and the Council on the technical functioning – including security – of SIS, the communication infrastructure supporting it, and the bilateral and multilateral exchange of supplementary information between Member States.

Furthermore, every four years, the Commission is required to conduct, and share with the Parliament and the Council, an overall evaluation of SIS and the exchange of information between Member States. This will:

• examine results achieved against objectives;

• assess whether the underlying rationale for the system remains valid;

• examine how the Regulation is being applied to the central system;

• evaluate the security of the central system;

• explore implications for the future functioning of the system.

eu-LISA is also now charged with providing daily, monthly and annual statistics on the use of SIS, ensuring continuous monitoring of the system and its functioning against objectives.

Detailed explanation of the new provisions of the proposal

Provisions that are common to this proposal and the proposal for a Regulation on the establishment, operation and use of the SIS in the field of police cooperation and judicial cooperation in criminal matters:

• General Provisions (Articles 1 – 3)

• Technical architecture and ways of operating SIS (Articles 4 – 14)

• Responsibilities of eu-LISA (Articles 15 – 18)

• Right to access and retention of alerts (Articles 29, 30, 31, 33 and 34)

• General data processing and data protection rules (Articles 36 – 53)

• Monitoring and statistics (Article 54)

3.

End-to-end use of SIS


With over 2 million end-users in the competent authorities across Europe, SIS is an extremely widely used and effective tool for information exchange. These proposals include rules covering the complete end-to-end operation of the system, including Central SIS operated by eu-LISA, the national systems and the end-user applications. It addresses not only the central and national systems themselves, but also the end-users' technical and operational needs.

Article 9(2) specifies that end-users must receive the data required to perform their tasks (in particular all data required for the identification of the data subject and to take the required action). It also provides for a common blueprint for Member State implementation of SIS, ensuring harmonisation across all national systems. Article 6 stipulates that each Member State must ensure uninterrupted availability of SIS data to end-users, in order to maximise the operational benefits by reducing the possibility of downtime.

Article 10 i ensures that the security of data processing also includes the data processing activities of the end-user. Article 14 obliges Member States to ensure that staff with access to SIS receive regular and ongoing training about data security and data protection rules.

As a result of the inclusion of these measures, this proposal more comprehensively covers the full end-to-end functioning of the SIS, with rules and obligations concerning the millions of end-users across Europe. In order to use SIS to its full effectiveness Member States should ensure that each time their end-users are entitled to carry out a search in a national police or immigration database, they also search SIS in parallel. This way SIS can fulfil its objective as the main compensatory measure in the area without internal border controls and Member States can better address the cross-border dimension of criminality and the mobility of criminals. This parallel search must remain in compliance with Article 4 of Directive (EU) 2016/680 29 .

4.

Business continuity


The proposals strengthen provisions regarding business continuity, both at national level and for eu-LISA (Articles 4, 6, 7 and 15). These ensure that SIS will continue to remain functional and accessible to staff on the ground, even if there are issues that affect the system.

5.

Data quality


The proposal maintains the principle that the Member State, which is the data owner, is also responsible for the accuracy of the data entered in SIS (Article 39). It is, however, necessary to provide for a central mechanism managed by eu-LISA which allows Member States to regularly review those alerts in which the mandatory data fields may raise quality concerns. Therefore Article 15 of the proposal empowers eu-LISA to produce data quality reports to Member States at regular intervals. This activity may be facilitated by a data repository for producing statistical and data quality reports (Article 54). These improvements reflect the interim findings of the High Level Expert Group on Information Systems and Interoperability.

6.

Photographs, facial images, dactylographic data and DNA profiles


The possibility to search with fingerprints with a view to identify a person is already set out in Article. 22 of Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA. The proposals make this search mandatory if the identity of the person cannot be ascertained in any other way. Currently, facial images can only be used to confirm a person's identity following an alphanumeric search, rather than as the basis for a search. Furthermore, changes to Articles 22 and 28 make provision for facial images, photographs and palm prints to be used to search the system and identify people, when this becomes technically possible. Dactylography refers to the scientific study of fingerprints as a method of identification. Experts in dactylography recognise that palm prints have the characteristic of uniqueness and that they contain reference points that enable accurate and conclusive comparisons just as do fingerprints. Palm prints can be used to establish a person's identity in the same way that fingerprints can be used. The taking of palm prints along with the ten rolled and ten flat prints of a person has been police practice for many decades. There is one main use of palm prints, namely for identification purposes when the subject has intentionally or unintentionally damaged the tips of their fingers. This can be through an attempt to avoid being identified or fingerprinted or through damage caused by accident or heavy manual work. In the course of the discussion on the technical rules of SIS AFIS, Member States reported considerable success in the identification of irregular migrants who had intentionally damaged their fingertips in an attempt to avoid identification. The taking of palm prints by Member State authorities allowed subsequent identification.


The use of facial images for identification will ensure greater consistency between SIS and the proposed EU Entry Exit System, electronic gates and self-service kiosks. This functionality will be limited to the regular border crossing points.

Access by authorities to SIS – institutional users

This sub-section is intended to describe the new elements in access rights with regard to EU Agencies (institutional users). The access rights of competent national authorities have not been amended.

Europol (Article 30) and the European Border and Coast Guard Agency – as well as its teams, teams of staff involved in return-related tasks, and members of the migration management support team – and the ETIAS Central Unit within the Agency (Articles 31 and 32) have the access to SIS and SIS data that they need. Appropriate safeguards are put in place to ensure that the data in the system is properly protected (including also the provisions in Article 33, requiring that these bodies may only access the data they need to carry out their tasks).

These changes extend access to SIS for Europol to refusal of entry alerts, ensuring that it can make best use of the system as it carries out its duties, and add new provisions that ensure that the European Border and Coast Guard Agency as well as its teams can access the system while carrying out the different operations under their mandate assisting Member States. Furthermore under Commission proposal for a Regulation of the European Parliament and of the Council establishing a European Travel Information and Authorisation System (ETIAS) 30 the ETIAS Central Unit of the European Border and Coast Guard Agency will, via ETIAS, verify against SIS whether the third country national applying for a travel authorisation is subject of a SIS alert. To this end the ETIAS Central Unit will also have access to SIS 31 .

Article 29 i sets out that national visa authorities may also, in the performance of their tasks, access alerts on documents issued in accordance with the Regulation 2008/…. on the establishment, operation and use of the SIS in the field of police cooperation and judicial cooperation in criminal matters.

This will allow these bodies to have the access to SIS and SIS data that they need in order to carry out their tasks, while also putting in place appropriate safeguards to ensure that the data in the system is properly protected (including also the provisions in Article 35, requiring that these bodies may only access the data they need to carry out their tasks).

7.

Refusal of entry and stay


Currently, in accordance with Article 24 i of the SIS II Regulation, a Member State may insert an alert in SIS in respect of persons subject to an entry ban based on a failure to comply with national migration legislation. The revised Article 24 i requires that an alert be entered in SIS in any case in which an entry ban has been issued to an illegally staying third country national in accordance with provisions respecting Directive 2008/115/EC. It also establishes the timing and conditions for entering such alerts after the third-country national has left the territories of the Member States in compliance with an obligation to return. This provision is inserted in order to avoid that entry bans are visible in SIS while the third-country national concerned is still present on the EU territory. Since entry bans prohibit the re-entry into the territories of the Member States, they can come into effect only after the return of the third-country nationals concerned. At the same time, Member States should take all necessary measure to ensure that there is no time-gap between the moment of return and the activation of the alert on refusal of entry and stay in SIS.

This proposal is closely linked with the Commission proposal 32 concerning the use of SIS for the return of illegally staying third country nationals, laying down the conditions and procedures for entering alert on return decisions in SIS. That proposal includes a mechanism for monitoring whether third-country nationals who are the subject of a return decision effectively leave the EU territory and a warning mechanism in case of non-compliance. Article 26 sets out the consultation process that Member States must follow when they encounter alerts on refusal of entry and stay – or are willing to enter such alerts – that collide with other Member States' decisions, such as for instance a valid residence permit. Such rules should prevent the emergence of, or resolve, the conflicting instructions that these situations may create, while offering clear guidance to end-users on the actions to be taken in such situations and to Member States authorities on whether an alert should be deleted.

Article 27 (ex-Article 26 of Regulation (EC) No 1987/2006) is intended to implement the EU sanction regime which affects third-country nationals who are subject of a restriction to be admitted to the EU territory in accordance with Article 29 of the Treaty on the European Union. In order to allow entering such alerts it was necessary to require the minimum data necessary for the identification of the person, namely surname and date of birth. The fact that Regulation (EC) No 1987/2006 waived the requirement to enter the date of birth created significant challenges as without a date of birth, no alert can be created in SIS, in line with the technical rules and the search parameters of the system. As Article 27 is indispensable to have an efficient EU sanction regime the proportionality requirement does not apply in this respect.

In order to ensure greater consistency with Directive 2008/115/EC the terminology used when referring to the purpose of the alert ("refusal of entry and stay") has been aligned with the wording used in the Directive.

8.

Distinguishing between persons with similar characteristics


In order to ensure that data is processed and stored appropriately, and to reduce the risk of duplication and misidentification, Article 41 sets out the process to follow if it appears, on entering a new alert, that there is already an entry in SIS with similar characteristics.

9.

Data protection and security


This proposal clarifies responsibility for preventing, reporting and responding to incidents that might affect the security or integrity of SIS infrastructure, SIS data or supplementary information (Articles 10, 16 and 40).

Article 12 contains provisions on keeping and searching logs of the history of alerts.

Article 15 i maintains Article 15 i of Regulation (EC) No 1987/2006 and provides that the Commission remains responsible for the contractual management of the communication infrastructure, including tasks relating to the implementation of the budget and the acquisition and renewal. These tasks will be transferred to eu-LISA in the second suite of SIS proposals in June 2017.

Article 21 extends the requirement for Member States to consider proportionality before issuing alerts to also apply to decisions on whether the validity period of an alert should be extended. As a novelty, however, Article 24(2) (c) requires Member States to create an alert in all circumstances, on those persons whose activity falls under Articles 1, 2, 3 and 4 of Council Framework Decision 2002/475/JHA on combating terrorism.

10.

Categories of data and data processing


In order to provide more and more precise information to the end-users to facilitate and accelerate the required action as well as to allow the better identification of the alert subject this proposal expands the types of information (Article 20) that can be held about people for whom an alert has been issued, to also include:

• whether the person is involved in any activity falling under Articles 1, 2 , 3 and 4 of Council Framework Decision 2002/475/JHA;

• whether the alert is related to an EU citizen or other person who enjoys rights of freedom of movement equivalent to those of EU citizens;

• whether a decision on refusal of entry is based on provisions in Article 24 or in Article 27;

• the type of offence (for alerts issued under Article 24(2));

• details of a person's identity or travel document;

• colour copy of the person's identity or travel document;

• photographs and facial images;

• fingerprints and palm prints.

Having appropriate data is essential to ensure the accurate identification of a person who is checked at a border crossing, who is subject to an internal check or who applies for permission to stay. An inaccurate identification can result in fundamental rights issues; it can also lead to a situation in which the appropriate follow-up actions cannot be taken as there is no knowledge of the existence or content of an alert.

Concerning the information on the underlying decision, four reasons can be distinguished: a previous conviction as referred to in Article 24 (2)(a), a serious security threat as referred to in Article 24 (2)(b), an entry ban as referred to in Article 24 i and a restrictive measure as referred to in Article 27. In order to ensure that appropriate actions are taken in case of a hit it is also necessary to indicate whether the alert is related to an EU citizen or other person who enjoys rights of freedom of movement equivalent to those of EU citizens. Having appropriate data is essential to ensure the accurate identification of a person who is checked at a border crossing, who is subject to an internal check or who applies for permission to stay. An inaccurate identification can result in fundamental rights issues; it can also lead to a situation in which the appropriate follow-up actions cannot be taken as there is no knowledge of the existence or content of an alert.

It also (Article 42) expands the list of personal data that may be entered and processed in SIS for the purpose of dealing with misused identities as more data facilitates the victim and the perpetrator of misused identity. The extension of this provision entails no risk as all these data can only be entered upon the consent of the victim of misused identity. This will now also include:

• facial images;

• palm prints;

• details of identity documents;

• the victim's address;

• the names of the victim's father and mother.

Article 20 provides for more detailed information in the alerts. It includes categories for the reason of the refusal of entry and stay and the details of the personal identification documents of the data subjects. This enhanced information allows for the better identification of the person concerned, and on the other hand for a more informed decision to be taken by the end-users. For the protection of the end-users carrying out the checks, SIS will also show if the person in relation to whom an alert was issued, falls under any of the categories provided in Articles 1, 2, 3 and 4 of Council Framework Decision 2002/475/JHA on combating terrorism 33 .

The proposal makes clear that Member States must not copy data entered by another Member State into other national data files (Article 37).

11.

Retention


Article 34 sets out the timeframe for reviewing alerts. The maximum retention period of refusal of entry and stay alerts has been aligned with the possible maximum length of entry bans issued in accordance with Article 11 of Directive 2008/115/EC. Thus, the maximum retention period will become 5 years; Member States may, however, set shorter periods.

12.

Deletion


Article 35 sets out the circumstances under which alerts must be deleted, bringing greater harmonisation to national practices in this area. Article 35 sets out particular provisions for SIRENE Bureau staff to delete alerts that are no longer required proactively that are no longer required if no reply is received from the competent authorities.

13.

Rights for data subjects to access data, rectify inaccurate data and erase unlawfully stored data


The detailed rules on the data subject's rights remained unchanged as the existing rules already ensure a high level of protection and are in line with Regulation (EU) 2016/679 34 and Directive 2016/680 35 . In addition to that Article 48 sets out the circumstances under which Member States may decide not to communicate information to data subjects. This must be for one of the reasons listed in this Article, and it must be a proportionate and necessary measure, in line with national law.

14.

Statistics


In order to maintain an overview of the functioning of remedies, Article 49 makes provision for a standard statistical system providing annual reports on numbers of:

• data subject's access requests;

• requests for rectification of inaccurate data and erasure of unlawfully stored data;

• cases before the courts;

• cases where the court ruled in favour of the applicant; and

• observations on cases of mutual recognition of final decisions handed down by the courts or authorities of other Member States on alerts created by the alert-issuing State.


15.

Monitoring and statistics


Article 54 sets out the arrangements that must be put in place to ensure the proper monitoring of SIS and its functioning against its objectives. To do this, eu-LISA is charged with providing daily, monthly and annual statistics on how the system is being used.

Article 54(5) requires euLISA to provide the Member States, the Commission, Europol and the European Border and Coast Guard Agency with statistical reports that it produces and allows the Commission to request additional statistical and data quality reports relating to SIS and SIRENE communication.

Article 54(6) provides for the creation and hosting of a central repository of data, as part of eu-LISA's work on monitoring the functioning of SIS. This will enable authorised staff of Member States, the Commission, Europol and the European Border and Coast Guard Agency to access the data listed in Article 54 i in order to produce the statistics required.