Garante Privacy


01 March 2001


FIRST ANNUAL ACTIVITY REPORT March 95-March 97 CONTENTS Foreword Chapter 1. Reminders 1.1. The Text (Agreement, Schengen Convention, Convention of Accession, Cooperation Agreements) 1.2. Common instances for the implementation of the Convention 1.3. Objective and architecture of the Schengen Information System • Recorded information • Recipients of the information • Architecture of the Schengen Information System 1.4. The SIRENE offices Chapter 2. Protection of data of a personal nature 2.1. A National Law and a National Control Authority : prior conditions to the Convention's implementation 2.2. Respective scope of implementation of the Convention and of National Law • People's rights with respect to the SIS • Control of the Schengen Information System • Exchange of information outside the SIS Chapter 3. The Joint Supervisory Authority and the conditions of its independence 3.1. Composition of the Joint Supervisory Authority 3.2. The missions of the JSA 3.3. The conditions of independence • Adoption of an internal regulation • Release of an autonomous budget line • Working out of an activity report • Information on the Convention's functional aspects Chapter 4. Missions undertaken 4.1. Missions completed 4.1.1. The comparison of the data protection rules applicable in the Schengen States 4.1.2. Examination of the juridical grounds of the SIRENE offices and content of the SIRENE manual 4.1.3. Cooperation between the National Control Authorities. The opinion of 26 November 1996 on the right of access and cooperation for verifying data 4.1.4. Control of the C.SIS • The on-site visit by the JSA and the opinion dated May, 18, 1994 • The JSA's control mission, the on-site visit of 11 February 1997 and the opinion dated March 27, 1997 4.1.5. The opinion on the pilot project on stolen vehicles 4.1.6. The opinion on the cooperation agreement on the processing of traffic offences and the enforcement of penalties (fines) in that context 4.2. Current missions 4.2.1. The guide to people's rights with regard to the SIS 4.2.2. The interpretation of article 102.2, pertaining to technical duplication of data of the SIS 4.2.3. The interpretation of article 103, pertaining to control of the admissibility of queries from the SIS 4.2.4. The interpretation of article 102.1, pertaining to the principle of finality for the utilization of data from the SIS Chapter 5. Prospects 5.1. Transparency in the relations between the Schengen instances • Information to the JSA about the Convention's functional aspects • Completion of the protocol for the operation of C.SIS controls • The final endorsement of the JSA's budgetary autonomy 5.2. Transparency with respect to the citizen • About the objectives • About the extension of the Schengen Convention and the increasing complexity of control devices of the rules for data protection Foreword In the framework of the large scale police cooperation projects, the Schengen agreements and the Information System bearing the same name have the status of a test laboratory. Though the Schengen Convention of Schengen contains satisfactory provisions in regard with people's rights, data protection and with control of the information system, the successive postponements of the enforcement of the text almost let the system overrule the application of the principles, due to its increase in power in the name of effectiveness. As other European cooperation projects were developed and the imperative factor of effectiveness was consistently referred to as a priority, this situation became a matter of concern. It could seriously have undermined the control of data protection if a provisional Joint Supervisory Authority were not established in 1992. It is obvious that information exchange and police, judicial and customs cooperation, as a counterpart for the free circulation of persons, have become necessary means to fight terrorism, narcotics traffic and hard criminality, to assure security and to control the immigration flow. However, it remains important that chapter(s) dedicated to the protection of information pertaining to physical persons and defining the competent National or Common Control Authorities in such matters not be disregarded as mere stylish clauses. This initial activity report covers two years and is above all the unfinished narrative of a step-by-step negotiation with the parties/States to stick to the letter of the Convention and achieve a true acknowledgement of the independence and authority of a body of control, created to look after the rights of subject-persons in the frame of an exchange of information. It can therefore be said that, in addition to a test laboratory, the Schengen Joint Supervisory Authority is also a figurehead. Alex Türk March 1997 Chapter 1. Reminders 1.1. The Text The Schengen Agreement was signed on June 14, 1985 by the governments of the States of the Economic Union of Benelux, the Federal Republic of Germany and the Republic of France. It provisionally entered into force as from its signature (article 32) and came into effect on March 2, 1986. An expression of the will to create a common area of circulation of goods and persons, in order to avoid a remake of incidents that had occurred a year earlier due to overzealous action of Italian customs officers (foreign trucks stopped at the border, protest road blocks set up in France, the entire European road network disrupted), the Schengen Agreement's priority was a gradual elimination of customs checks at common frontiers of the signatory States. As a matter of fact, only 7 out of the agreement's 33 articles concern police cooperation and the struggle against immigration. On the opposite, the Schengen Convention of the Schengen agreement, signed on June 19, 1990 by the same contracting parties, developed police, customs and judicial cooperation for purposes of common outer frontier control. This counterpart to the opening which was decided five years earlier was deemed necessary in the context of National debates on the issues of insecurity and immigration. One of the fundamental measures of this cooperation device was the creation of a common computerized information system, the Schengen Information System (title IV of the Convention). As a consequence of a set of National and international texts dictating the observance of the data protection principles, the implementation of this system induced the creation of a Joint Supervisory Authority, whereby reference was made to models of independent National Control Authorities competent in the field. The Schengen Convention - its entry into force being subject to ratification, approval or acceptance and its implementation being subject to the provision that "The Convention shall not enter into force until the preconditions for its implementation have been fulfilled in the signatory States and checks at external borders are effective" - entered into force on 1 September 1993 and was implemented on 26 March 1995. The date originally planned had been 1 January 1993. The Convention was open to accession for other member States of the European Communities (article 140) and made it possible to extend the Schengen area to Italy, Spain, Portugal, Greece and Austria, even though to this day only Spain and Portugal meet all requirements to feed data to the SIS, have access to the information it contains and fully participate in meetings of all Schengen authorities, in particular the Joint Supervisory Authority. More recently, on May 1st, 1996, the five countries of the Scandinavian Union linked by the Scandinavian Union's Passport Agreement, which installed the free circulation of persons between their territories and the Faeroe Islands, acquired the status of observer. On December 19, 1996, Denmark, Finland and Sweden, member countries of the European Union, have signed an agreement of accession to Schengen. By virtue of a cooperation agreement of the same date, Iceland and Norway, non-members of the European Union, were proposed a status of associated member by the terms of which the Convention applies to their territory, with exception to provisions pertaining to goods' control. However, they are not entitled to formally take part in decisions. Both of these States will fully participate in the functioning of the Schengen Information System. 1.2. Common instances for the implementation of the Convention The contracting parties created two instances for the implementation of the Convention : • The Executive Committee, consisting of one minister in charge of the Convention's implementation in each party/State, takes on the general mission of supervising the correct implementation of the Convention and has specific additional competencies (article 131). • The Joint Supervisory Authority (JSA) consists of two representatives for every National control Authority of the parties/States and has the task of verifying the good execution of the Convention's provisions with respect to the function of the technical medium of the SIS (article 115). It also has a number of more general competencies in the field of data protection. Beside these two instances, the Schengen organization is structured around a Central Group, with the subordinate SIS Steering committee and various work groups, some of which have been set up by the Convention. The Schengen instances are assisted by a secretariat, a task fulfilled by the General Secretariat of the Economic Union of Benelux, based in Brussels. An organization chart is attached. 1.3. Objective and architecture of the Schengen Information System The entirety of Title IV of the Convention is dedicated to the Schengen Information System (SIS). Article 93 of the Convention specifies that the objectives of the SIS are to maintain public order and security, including State security, and to enforce the Convention's provisions for the circulation of persons with the help of the data transmitted by the system. Recorded information Article 94 includes a restrictive list of categories of data permitted to be recorded in the system. Articles 95 to 100 specify the finalities which justify the input of such records. The categories of data relate to persons, objects and vehicles. As far as persons are concerned, it is permitted to enter elements concerning marital status and aliases, distinctive physical features insofar as they are objective and permanent, the possible mention of whether they are armed or violent and what attitude is recommended if encountered. So-called sensitive information revealing race origin, political opinions, religious or other convictions and data related to health or sexual life is ruled out. The finalities that justify the input of a person in the SIS are the following : a. Whatever the person's Nationality is : - arrest in view of extradition (article 95) ; - search in case of disappearance, search of minors or of persons to be confined by decision of a competent authority (article 97) ; - arrest in view of an appearance in a court of justice, even as a witness, in the context of a penal procedure or of the execution of a sentence depriving the subject of his freedom (article 98) ; - discreet watch and specific checks in view of repression of penal offences, prevention of threats to public security or prevention of serious threats to the State security (article 99) b. For foreigners, i.e. any person other than nationals of the member States of the European Community (definition in article 1, 6th alinea) ; - non-admittance on the territory as a result of an administrative or judicial decision taken in accordance of the National procedural regulations, or on the grounds of a threat to public order or to National safety and security, or on the grounds of non-observance of National regulations for entry and abode of foreigners (article 96). As far as goods are concerned, elements can only be entered together with the name of their owner and must relate to cars, firearms, stolen documents or banknotes searched to be seized or serve as evidence in a penal procedure (article 100). As far as vehicles are concerned, it is also permitted to register data concerning those searched for the purpose of discreet watch or specific checks (article 99, quoted earlier). This category authorizes the input of information about the watched vehicle's driver or occupiers. Recipients of the information Articles 92 and 101 of the Convention state that authorities designated by the contracting Parties are entitled to access, whether by means of a computerized query or not : - to the whole of the data registered in the SIS during frontier controls, police verifications and other police or customs checks when carried out inside the country, in accordance with National Law ; - to only the category of records entered for purposes of non-admittance, in the context of issuing visas, right of abode documents or for the administration of foreigners, within the scope of the Convention's provisions concerning circulation of persons. The Executive Committee must be sent the list of authorities entitled to interrogate directly the data contained in the SIS (Article 101 (4). Architecture of the Schengen Information System Though several articles of Title IV prescribe the observance of given technical steps, the system's overall description occurs in article 92. The Schengen Information System (SIS) consists of one National part (N.SIS) for each of the contracting Parties and the function of the technical medium (C.SIS) created and maintained in common. The responsibility of the latter is taken on by the Republic of France. The function of the technical medium, settled in Strasbourg, has the objective and scope of making all the N.SIS materially identical. In order to achieve this, C.SIS includes a data file assuring the identity of the National files and on-line data transmission. Data transmission occurs in conformity with the protocols and procedures established in common by the contracting Parties for the function of the technical medium. Article 118.4 specifies the security measures that must be taken for the function of the technical medium. These measures are identical to those required for every N.SIS (Article 118.1 to 3). 1.4. The SIRENE offices The SIRENE offices (Supplément d'Informations Requis à l'Entrée Nationale / Supplementary Information Requested to the National Entry) are a creation of the parties/States which is not explicitly foreseen by the Convention. Charged with the exchange of complementary information within each Schengen State, they also act as intermediaries in the course of various State to State consultations on the attitude to adopt in the event of the execution of a SIS entry. Their missions and acts are defined in a concrete way in a common manual designated as "SIRENE manual". These mainly consist in consultations prior to the creation of a SIS entry, exchanges of information, surveillance of multiple entries and setting up priority orders. Chapter 2. Protection of data of a personal nature 2.1. A National Law and a National Control Authority : prior conditions to the Convention's implementation The parties/States have set several conditions prior to the implementation of the Convention on their territory. The imperative nature of the observance thereof is reminded in the final act. Two of these conditions are the obligation for each party/State, prior to any transmission of data of a personal nature, to appoint an independent National Control Authority (articles 114 and 128) and to pass a data protection law. More precisely, the Convention includes the following prescriptions, whether the data transmitted by virtue of enforcement of the Convention are processed by computer or not : a. for computerized processing of data transmitted by virtue of enforcement of Title IV in relation with SIS : Article 117 At the latest by the time the Convention takes effect, each contracting Party must make the necessary National provisions to achieve a level of protection of data of a personal nature at least equal to the level prescribed by the principles resulting from the European Council's Convention for the protection of persons in with respect to computerized processing of data of a personal nature, dated January 28, 1981, including observance of Recommendation R (87) 15 of the Ministers' Committee of the European Council, dated September 17, 1987 and aiming at regulating the use of data of a personal nature in the police sector. Transmission of data of a personal nature can only take place when the provisions for the protection of data of a personal nature have taken effect on the territories of the contracting Parties concerned by that transmission. b. for computerized processing of other data transmitted by virtue of enforcement of the Convention, with exception of data related to applications for asylum : Article 126 : Requirement of having achieved a level of protection of data of a personal nature at least equal to the level prescribed by the principles resulting from the above mentioned European Council's Convention dated January 28, 1991 ; the transmission of such data is also subordinated to the effectiveness of this protection on the territories of the contracting Parties concerned by that transmission. Article 129 : For the transmission of data related exclusively to police cooperation, the contracting Parties must achieve a level of protection of data of a personal nature which obeys the principles of the previously mentioned Recommendation R (87) 15 of the Ministers' Committee of the European Council, dated September 17, 1987. c. for data transmitted by virtue of enforcement of the Convention and stemming from a file or embedded in a file, excepting data related to applications for asylum, to the SIS or to mutual judicial help for penal matters : Article 127 : Enforcement of the provisions of article 126 and, for the transmission of data related to police cooperation, a level of data protection which obeys the principles of the previously mentioned Recommendation R (87) 15. d. Eventually, for transmitted data occurring in folders, only the specific provisions of article 126.3 for data protection apply, with one exception, under the supervision of the competent National Authority when occurring (article 128.2). 2.2. Respective scope of enforcement of the Convention and of National Law With respect to protection of data of a personal nature, the Convention effects a complex distribution between the scope of enforcement of its own provisions and that of the National rights of the party/States. People's rights with respect to the SIS The rule can be formulated as follows : the Law of every contracting Party is applicable provided that the Convention does not stipulate any particular provisions. The Convention specifies the nature of the rights that are acknowledged to persons and the possible restrictions to these rights. Provided that these provisions are respected, the people's rights are exercised by the letter of the National Law of each party/State. a. Right to access and communication (article 109) Every person has the right to access information concerning itself embedded in the SIS. It can file an application for that purpose with the competent instances of each of the parties/States. If National Law foresees it, the relevant information can be communicated to the author of the application. However, by virtue of enforcement of the "principle of data ownership", the communication is subordinated to the fact that the addressed State, when it is not the author of the entry, must first give the signalling State the opportunity to take position. Communication of information can be refused in the event that it could possibly prejudice the execution of a signalled entry or should this refusal be deemed necessary in order to protect the rights and liberties of third parties. At any rate, the communication is refused if the person was signalled for purposes of discreet watch. The major characteristics of the applicable National Law of several Schengen States for the exercise of the right of access to information registered in a computerized data processing system are listed in an enclosure. b. Right of correction (article 110) Every person has the right to have relevant data corrected when tainted with factual errors or deleted if tainted with legal error. In practice, communication of the information occurring in the system greatly facilitates the exercise of this right. c. The right to bring an action for correction, deletion, information or indemnification (article 111). Any individual must be able to assert his or her rights before a court or any other competent authority on the territory of each Contracting Party. Final decisions are enforced by the State Party concerned. d. Right to request verification of the data (Article 114 (2)) Any individual may request a national supervisory authority to verify the data in the SIS concerning him or her as well as the use to which this data is put. If the data have been entered by a State other than the State with which the request is filed, the verification is carried out in close collaboration with the supervisory authority of the State which issued the alert. Although an exhaustive list of the applications filed with the Schengen States exercising the abovementioned rights has not yet been drawn up, it can be inferred from the information available to the JSA that the number of applications made in each State varies from one to forty over the past two years. Control of the Schengen Information System The Convention states the principles of data protection applicable for the processing of data embedded in the SIS (article 104), without prejudice to the National Law of each contracting Party. It distributes the control of their observance between a Joint Supervisory Authority and the National Control Authorities (articles 114 and 115). The principles listed by the Convention are the following : a. Principle of finality for data recording and — with exception of a restrictive list of exceptional cases — for data utilization : extradition, non-admittance, missing persons, witnesses, summoned or sentenced persons, stolen goods, vehicles and persons under discreet watch or specific checks (previously quoted articles 94 to 100 and 102). b. Ban on processing of sensitive data and restrictive list of recorded data (previously quoted article 94). c. Definition of the recipients : limited access for National authorities with competencies in given fields and only in order to perform their task (previously quoted article 101). d. Ban on copying signalled entries of another contracting Party in a National file, and restriction of duplications for technical purposes (article 102). e. Obligation to record every tenth transmission of data for purposes of admissibility checks (article 103). f. Setting a duration of data preservation (articles 112 and 113). g. Obligation to preserve deleted data one full year in the function of the technical medium for purposes of subsequent control of their accuracy and of the licit nature of their input in the SIS (article 113.2). With respect to the system's control, the Convention specifies that every party/State must charge a National Authority with controlling the file of the National part of the information system (N.SIS) in an independent manner and in compliance with National Law (article 114). These authorities are responsible for controlling the observance of the provisions for data protection made by the Convention and the additional provisions by virtue of National Law, when occurring. On the other hand, the control of the function of the technical medium (C.SIS) is entrusted to the Joint Supervisory Authority, which must act in accordance with the Schengen Convention, the European Council's Convention for data protection, the European Council's Recommendation on data in the police sector, and in conformity with the French Law. Exchange of information outside the SIS Title VI (articles 126 and following) of the Convention, titled "protection of data of a personal nature" is dedicated to rules applicable to exchanges of information not applying for input in the SIS but interfering with the Convention's implementation (infra 2.1. b and c). The principles referred to here (finality, restriction of the recipients, accuracy of the data etc.) are applicable without prejudice to the provisions of the National Law on data protection, particularly of the Law that governs the exercise of the rights of the relevant people. The National Authorities are responsible for control of compliance with the rules stipulated by the Convention. The JSA plays a residual role : it can, upon the request of the contracting Parties, take an opinion on the difficulties arising from the implementation and interpretation of these rules. Chapter 3. The Joint Supervisory Authority and the conditions of its independence 3.1. Composition of the Joint Supervisory Authority Article 115.1 of the Convention specifies that the Joint Supervisory Authority (JSA) consists of two representatives of each National Control Authority. Each National Authority decides on the choice of its representatives in the JSA in the person of its chairman or director, who nominates them and informs the JSA's Secretariat and its chairman. The JSA then duly records the nominations. The National Control Authorities are not structured after a single model (some have a collegial structure, others not). Their representatives can respectively be members of the college, commissioners or directors, supervisors or agents of a department, or an outside personality. The Convention does not stipulate a term for members of the JSA : the duration thereof is left to the appreciation of each National Authority. The Joint Supervisory Authority was officially established upon enforcement of the Convention on March 26, 1995. Its composition is attached as an enclosure. However, under the impulse of Mr. Faber, data protection commissioner of Luxembourg and first chairman of the JSA, a provisional Joint Supervisory Authority was set up as early as the month of June, 1992 with the agreement of the Schengen ministers. At the time, after technical experiment were carried out with fictitious data, certain parties/States were considering to gradually introduce data with a real personal nature. The utility of a co-operation with the common organization charged with controlling the enforcement of the rules for data protection became undeniable. The PJSA consisted of one or two representatives of the National Control Authorities of five of the States which had initiated the agreements, and one or two independent experts appointed by the associated States on whose territory the Convention was not yet applicable. It adopted a provisional internal regulation, which prescribed that its missions were to be carried out by consensus. It developed a questionnaire on the nature of the rules of data protection applicable in each of the Schengen States with regard to the Convention, in particular to the SIS. It proceeded with a first visit to the function of the technical medium in Strasbourg. It gathered twelve times between June 29, 1992 and February 22, 1995 in the offices of the Schengen Secretariat in Brussels, and once in Strasbourg on March 15 and 16, 1994. It played a pioneer's role which made the JSA's task far easier when it was, in turn, formally established. Reference is made to the PJSA's work when the JSA's achievements, which developed it, are presented. Shortly after its constitution, the Joint Supervisory Authority held five meetings between May 17 and December 14, 1995, under the chairmanship of Mr. von Pommer Esche, Germany, chairman of the PJSA. One of the major objectives of these sessions was to set its final internal regulation code. On December 14, 1995, chairman Mr. Türk, France, senator, member of the Commission Nationale de l'Informatique et des Libertés (National commission for informatics and liberties) and deputy chairman Mr. Labescat, Portugal, lawyer, member of the National Commission for Data Protection, were elected by the JSA for renewable terms of one year. Mr. Türk, chairman, and Mr. Labescat, deputy chairman, were both re-elected for one year on December 5, 1996. The JSA held nine meetings in 1996 and three meetings since the beginning of 1997. Its first official assembly took place in Strasbourg on February 10 and 11, 1997. It appointed two work groups, the first of which gathered twice, in The Hague and in Paris, the second four times, in Brussels and in Madrid. 3.2. The missions of the JSA The JSA's major mission is to control the function of the technical medium of the SIS, a task which no one else is entitled to fulfil (article 115.2). However, an additional counselling and harmonizing role with respect to National doctrines and practices was also entrusted to it. The Schengen Convention of the Schengen Agreement specifies its missions in regard with SIS in the following articles : Article 106.3 : the JSA takes an opinion in the event of a disagreement between two Parties on a legal or factual error in a signalled entry. In this event, the Party which did not enter the record is compelled to refer to the JSA. Article 115.3 : - The JSA analyses implementation or interpretation difficulties occurring during the exploitation of the SIS ; - The JSA studies the questions which could be raised as a consequence of the exercise of independent control by the National Control Authorities of the contracting Parties ; - The JSA studies problems occurring on the occasion of the exercise of the right of access to the system ; - in a more general manner, the JSA develops harmonized proposals in view of finding solutions to existing problems. Article 115.4 : the JSA issues reports which are forwarded to the instances to which the National Control Authorities address their reports. Article 118.2 : the JSA is informed about the specific measures taken by each contracting Party in view of assuring the protection of data during transmission thereof to departments located outside the territories of the contracting Parties. About exchange of information outside the SIS : Article 126.3 f) : Upon the request of the contracting Parties, the JSA can take an opinion on implementation and interpretation difficulties with respect to article 126, pertaining to the processing of data transmitted by virtue of enforcement of the Convention, excluding the SIS. Article 127.1. The JSA can, under the conditions and in accordance with the modalities stipulated by article 126, take an opinion in the event of transmission of data extracted from a non-computerized file and of the input of data in such a file. In fact, from December 1995 to March 1997, the JSA focused its efforts on the acquisition of guarantees for its independence and on two missions which had become priorities (co-operation between National Control Authorities with respect to the exercise of people's right of access to the SIS, and control of the function of the technical medium. 3.3. The conditions of independence Although article 115 does not explicitly state that the JSA is an independent authority, its members are representatives of National Authorities charged with carrying out an independent control of the N.SIS in each party/State. Moreover, it should be reminded that, in Recommendation R (87) 15 of September 17, 1987, which aims at regulating the utilization of data of a personal nature in the police sector and is explicitly mentioned by article 115, it is stressed (point 1.1.) that the Control Authority charged with supervising the observance of the listed principles must be independent. The need to be independent immediately occurred to the JSA ; when the PJSA was appointed, certain choices — such as the election of a chairman rather than the six-monthly rotation of a chairmanship assumed in turn by every party/State, an established rule in other instances — were openly challenged by the party-States ; this reinforced the JSA's conviction that independence was a priority. From the moment it was initiated, the JSA therefore clearly stated the conditions of its independence and, by way of consequence, of its credibility and that of the Schengen States. Among those conditions, key elements were the adoption of an internal regulation, the release of an autonomous budget line and, in reverse, the working out of an activity report. Adoption of an internal regulation As it worked out its internal regulation, the JSA sanctioned the rule of election of its chairman and deputy chairman, introduced the quorum and majority rule for adoption of its acts and stated that its members, the observers, experts and the Secretariat's members were requested to respect confidentiality. It settled various questions pertaining to its missions, to the required conditions for being a member or an observer, to publicity of its acts and to the recourse to experts when needed for the good execution of its missions. At a later stage, it proved to be essential to have brought those elements of doctrine to the fore. The JSA specified that it could assume other missions than those entrusted to it by the Convention, for instance if they are missions related to the protection of data of a personal nature and linked with the Convention's implementation. It reminded that it was entitled to either seize a contracting Party or an instance of the Schengen System of its own accord, or to intervene upon the request of a National Control Authority, in accordance with the Convention's provisions. Subsequent to a judicial analysis of the Convention, the JSA then stated that only the representatives of National Control Authorities of parties/States on the territory of which the Convention was applicable, all ratifications having taken effect and all prior conditions being met, can be regarded as full members. It has nevertheless foreseen to grant the status of observer without further deliberations to representatives of National Control Authorities or independent experts of contracting Parties on the territory of which the Convention has not yet entered into force. The members of the JSA since its official establishment are the representatives of the National Control Authorities of Germany, Belgium, Spain, France, Luxembourg, the Netherlands and Portugal. The following representatives have acquired the status of observers : - the Italian representatives. All but two of the instruments of ratification for Italy have been deposited. Italy formerly had neither a data protection law nor a national data protection agency. This situation has just been changed by the entry into force of Law No. 675 of 31 December 1996 on the protection of the individual and other subjects with regard to the processing of personal data together with the creation of the national data protection agency on 5 March 1997; - The representatives of the National Control Authority of Austria, a country for which not all the instruments of ratification have been deposited. This situation should change at short notice ; - The Greek representatives. The ratification procedure has not yet been completed. Greece did not previously have any data protection law. This situation has changed now that the Law on the protection of the individual with regard to the processing of personal data of 20 March 1997 has been passed. Representatives of the Danish, Finnish and Swedish National Control Authorities have been welcomed as observers from March 1997. The representatives from Norway and Iceland will shortly acquire the status of observers. The JSA has indeed decided to amend its internal regulation before the end of the first semester of the year 1997 so as to modify the required conditions to acquire the status of observer. With regard to publicity of its acts, the JSA stated that its meetings would have to be held in camera ; however, it decided to determine the addressees of its acts individually for each case and to pronounce on the possible publicity thereof, without prejudice to article 115.4 which stipulates that its reports should be forwarded to the instances to which National Authorities address their reports. This decision enables the JSA to make the various Schengen instances addressees of its acts. The JSA stated that it could create work groups and resort to experts. This provision was used in particular during the control mission of the C.SIS in October, 1996. The latest version of the internal regulation adopted on October 19, 1995 is attached. Release of an autonomous budget line Since October 18, 1995, the JSA applied for the allocation of an own budget line, as a means to independently carry out the missions it was charged with. This application was examined a month later by the Central Group and did not find any encouraging resonance. It therefore reiterated its request with firmness, to both the Central Board and the Executive Committee, on December 14. The release of a budget line soon proved to be a key stake around which the respective positions of the JSA and of the Schengen States, particularly France, have revolved during the entire year 1996. In a note dated 4 April 1996 concerning its tasks and plan of action, the JSA drew up a draft budget for the attention of the Executive Committee and the Central Group. In this document, the JSA reminded that its members' travelling expenses for work sessions in Brussels would continue to be carried by the National Control Authorities and asked that the following be guaranteed : - that a secretariat, in particular for the purpose of keeping a register of its acts, as well as conference rooms, a translation and interpreting service in all languages of the Schengen States be made available ; - sufficient credit to be in a position to resort to experts when required by the good exercise of its missions, in particular in the context of a consultation for an opinion or a specific check ; - sufficient credit to work out a yearly activity report in which an account would be made of the allocation of its resources ; - reimbursement of travelling expenses of its members on the occasion of a yearly assembly in Strasbourg and, if occurring, of other specific missions. The requested budget amounted to a total of BEF 4 250 000. The JSA's budget proposal was examined by the different Schengen instances from July 3, 1996 till January 28, 1997, after a path marked with written correspondence, discussions, unofficial bilateral encounters and formal meetings. An agreement in principle was reached at last, and in practice the Central Group adopted it with a few amendments, some of which in agreement with the JSA (for example removal of the secretariat position from the budget). It must be stressed that before it marked its agreement, the JSA was assured that documents necessary for the good exercise of its missions would be translated at sufficiently short notice. This decision was announced to the JSA on February 10, 1997, the day before its first official assembly in Strasbourg, and the revised budget proposal amounting to a total of BEF 2 839 950 submitted for final approval by the written procedure by the Executive Committee in March 1996, was communicated. The chairman of the JSA informed the Central Group on February 17 of the Authority's members astonishment due to the suppression of the position related to the yearly assembly in Strasbourg, and notified that they considered that this fact could undermine the achievement of the JSA's missions and the principle of its independence. However, he added that the JSA would provisionally adapt to this budget, considering that it would obviously be re-evaluated at the next discharge ; in particular, it would have to be considered to adapt the budgets of the National Control Authorities to carry the cost of specific missions decided by the JSA in addition to carrying the travelling expenses of their representatives to work sessions in Brussels. It was also stated that this budget should be revised in function of the extension of the JSA to 5 new countries. The proposal for the requested budget and the revised proposal for 1997 are attached. Working out of an activity report Although the Convention has not imposed such an obligation on the JSA, the latter had decided in April 1996 to work out a yearly activity report. It seemed important to the JSA to account for the achievement of its missions and for the allocation of its budget in a transparent way. This first report turns out to be biennial due to various difficulties, in particular the budget problems the JSA had to face since its initial establishment. However, it will be a yearly report in the future. In the first place, the addressees of the present report are the Executive Committee and the Central Group and, in accordance with article 115.4, the National Control Authorities who are in turn charged with handing it over to their national instances and make it public through the channels they use for their own reports. Information on the Convention's functional aspects On several occasions since 1995, with increasing insistence during the preparation of the control mission to the C.SIS, the JSA has requested a number of documents essential to its knowledge of the Convention's implementation and of the operation of the SIS, so that it could carry out its mission effectively. It often encountered difficulties in obtaining these in due time and, in spite of its complaints, did not succeed yet in becoming an addressee of some of these documents as they are being worked out, in particular documents from the Steering committee and the Permanent Working Party (PWP). Chapter 4. Missions undertaken The Convention stipulates that the JSA takes opinions or works out reports. Since the Convention entered into force, the JSA examined ......... memo's, adopted ........ opinions and one report, without prejudice to the activity report. 4.1. Missions completed 4.1.1. The comparison of the data protection rules applicable in the Schengen States In 1993, the PJSA decided to draw up a questionnaire to obtain the most detailed information possible on the situation in each Schengen State with regard to the data protection provisions of the Schengen Convention (questionnaire SCH/Aut-cont (94) 16 and summary document SCH/Aut-cont (96) 19). The JSA further developed certain points of this document, e.g. the conditions under which the right of access is exercised in each party/State (excerpt attached). The questionnaire is an instrument of comparative Law and refers to international and national texts, applicable in the field of data protection and more specifically of the people's rights and liberties. It is structured around the following specific themes : transparency (declaration of creation of an N.SIS, publicity), juridical grounds of the SIRENE office and authority charged with the central competency for the N.SIS, control devices (composition and competencies of the National Control Authority), people's rights with respect to the processing of relevant data (right of access, of correction, of deletion, of indemnification, channels of recourse), security measures taken for the N.SIS, national files used to feed information to the SIS and authorities entitled to directly consult it. The aim is that each delegation should fill out the questionnaire, whether a member of the JSA or as one of its observers. Italy and the Scandinavian countries will be requested to answer its questions in the course of the year 1997, and then Greece on the basis of its new data protection law. 4.1.2. Examination of the juridical grounds of the SIRENE offices and content of the SIRENE manual The juridical grounds of the SIRENE offices The lack of specific juridical grounds for the SIRENE offices in the Convention led the PJSA to ask each of its delegations to specify whether its national office had been appointed to exercise the central competency for the N.SIS on the grounds of article 108 of the Convention, or whether it was created by an autonomous national text, in which case it was requested to state how it was linked to the central instance. The PJSA duly recorded that, with exception of Belgium, the States currently enforcing the Convention (Germany, Spain, France, Luxembourg, the Netherlands, Portugal) did not allocate the central competency for the N.SIS to their SIRENE office on the grounds of article 108, but rather created it on the grounds of a national text (France, the Netherlands, Portugal) or considered that a number of national texts on police matters or texts in relation with the Schengen Convention were sufficient to establish its juridical existence (Germany, Spain, Luxembourg). It observed that, with exception of Belgium (where the SIRENE office, as an instance with central competency for the N.SIS, is linked to the Ministry of Justice) and of Portugal (where the central instance is distinct from the SIRENE office and linked to the Ministerial Department of foreigners and frontiers of the Ministry of the Interior), the other Schengen States had entrusted the central competency for the N.SIS to their police or gendarmerie (state police corps) departments and linked their SIRENE office to these departments. To all parties/States of the Schengen Convention, the PJSA stressed the interest of stipulating the creation and competencies of the SIRENE offices within the Convention's actual text, for reasons of transparency. Content of the SIRENE manual The PJSA examined the content of the SIRENE manual's proposal several times in 1993 and 1994. This Manual, used by all Schengen States, describes the procedure for transmitting the additional information which a user having obtained a hit in the SIS will need for further action. 4.1.3. Cooperation between the National Control Authorities The opinion on the exercise of the right of access and on cooperation for the verification of data. By virtue of article 115.3, the JSA has taken an opinion on the principles of cooperation between National Control Authorities on the grounds of article 114.2. This opinion was an opportunity to examine the coordination between the provisions for the exercise of the right of verification of data embedded in the SIS and of its utilization, and the provisions of article 109 pertaining to right of access. This opinion was transmitted to the Executive Committee and the Central Group as well as to the National Control Authorities. A proposal was made to the latter, that they develop a correspondents' directory in order to facilitate the cooperation's implementation. The French Commission Nationale de l'Informatique et des Libertés (National commission for informatics and liberties), which was the first recipient of a formal application for access to the SIS — on the day on which the Convention entered into force — and received several others at a later stage, drew the JSA's attention on how difficult it actually was to effectively check the relevance of data recorded by another party/State in the N.SIS, with respect to the Convention. Subsequently, the JSA created a work group consisting of German, French and Dutch representatives and charged it with examining the set problems and proposing a harmonized solution to solve them. The work group gathered twice informally and submitted a proposal for an opinion to the JSA on 21 June 1996 This opinion was adopted on 26 November 1996 and begins with a preliminary reminder of the fact that the Convention, in its articles 109 and 114, respectively distinguishes : the right of access and communication and the right to request a verification of data and of the utilization thereof. Given that the applicable Law is the National Law of the addressed contracting Party, the competent authority for processing such applications is : - for access and communication : the instance in charge of the file for countries with a direct right of access and the Control Authority for countries with an indirect right of access ; - for verification of data and of the utilization thereof : the Control Authority in both cases. Were the data entered in the SIS by another contracting Party than the application's recipient, then article 109 subordinates communication to the fact that the signalling Party must have the opportunity to take position, and article 114 stipulates that a verification is to be carried out in close coordination with the Control Authority of the signalling Party. Cooperation between Control Authorities is not explicitly foreseen as such in the context of an application for verification, and article 114.2 does not provide for a communication to the relevant person. Subsequent to these reminders, the opinion contains the following observations: The National Control Authority receiving a formal application for a right of access and communication which will involve verifications (French Law, Belgian Law, ...) or directly addressed with a request of verification can — should the data have been entered by another contracting Party — resort to the Control Authority of that Party in order to carry out the verification in close coordination with the latter. However, by no means does such a request for coordination discharge the requesting authority, nor does it modify the applicable National Law on how such an application is to be processed. The National Control Authority to which the request for coordination is addressed proceeds with the verifications asked by the requesting Authority. The latter transmits the whole of the elements in its possession which may be useful to carry out the verification, to the addressed Authority. When the verification is completed, the addressed authority transmits the whole of the information collected during its investigations to the requesting Authority. Should the requesting Authority, in its request for cooperation by virtue of article 114.2, have referred to article 109, which foresees the possible communication to the applicant for relevant information recorded in the SIS, then the addressed Authority will include, insofar as possible, the position of its government on the communicability of the relevant information. 4.1.4. Control of the C.SIS The PJSA's site visit and the opinion dated May, 18, 1994 On March 16, 1994, the PJSA proceeded with a site visit of the C.SIS in Strasbourg. The Schengen Information System was not operational at the time, and its functional aspects were not checked. Only the installation, the building and the computers were checked. Two reports were drawn up by the Dutch and French delegations subsequent to this visit and pertained to : - physical protection (buildings and site, installations, physical protection of the access, fire protection, protection against flooding, theft and vandalism, organization, procedures and instructions) ; - operational protection (measures and procedures implemented to warrant the integrity of the data and to control access to the files and networks) ; - organizational protection (management, compartmentalization of functions, procedures, responsibilities and competencies) ; - protection of the continuity of the data processing (measures and procedures implemented to warrant a good execution of the processing operations and to prevent damages which could result from a poor execution of these operations). After studying the reports, the PJSA concluded that, on the whole, the measures taken and procedures implemented were satisfactory in view of the stipulations of article 118.1 of the Convention, particularly with respect to physical protection. However, in an opinion dated May 18, 1994, it adopted three recommendations whereby it demanded from the Central Group that the following points be observed when the Convention would be implemented : - the establishment of a physical separation between the installations of the C.SIS and that of the French "Ministère de l'Intérieur", both set up on the same site ; - full security transport and storage of the back-up copies of all the data ; - an increase of the reliability of data links between the C.SIS and the N.SIS in order to exclude or significantly reduce the risk of interrupted lines. The opinion of the PJSA was addressed to the Central Group and submitted to the Steering committee for an in-depth study. The conclusions of the latter were adopted by the Central Group and brought to the knowledge of the PJSA on September 13, 1994. It appeared out of these conclusions that the PJSA's demands were met by readily implemented appropriate measures and that those demands would be most carefully taken into consideration in the course of current and future technical developments. The JSA's control mission, the on-site inspection of 11 February 1997 and the opinion dated March 27, 1997 * the JSA decided on March 26, 1996 to undertake a control of the C.SIS in accordance with article 115.2. It appointed a work group for that purpose on June 21, charged with the check and before that : - with the study of the technical documents relevant to the C.SIS ; - with the definition of the investigations to be conducted ; - with the determination of the technical competencies required from the experts. This control mission, under the chairmanship of Mr. Faber, Luxembourg, consisted of three other members of the JSA (Mr. von Pommer Esche, Germany, Mr. Cueva, Spain and Mrs. Carblanc, France) and of three experts from the National Control Authorities (Mr. Lopez and Mr. Perez, Spain, and Mr. Ngo, France) and gathered on September 6 at the General Secretariat of Schengen. It submitted its investigation proposals to the JSA, which adopted these on September 12. It held a second meeting at the Schengen Secretariat on October 2 in view of distributing the investigation tasks to be carried out between the experts and the other members of the control mission. The Head of the C.SIS and the Central Group were informed of the control mission's final composition on October 3, and the relevant C.SIS documentary questionnaire was forwarded to them the same day. * The checks were carried out in the week of October 7. They ended on October 10 upon the request of the French Authorities, who asked the control mission's experts to stop their investigations because, in their eyes, only members of the JSA were duly authorized to carry out such a control mission. This decision gave rise to a an immediate, very sharp reaction on behalf of the chairman of the JSA and of its members. As a consequence, several meetings were organized between the Central Group and the JSA, in order to prevent this type of situation from occurring again and, in a more general way, to discuss the problems encountered by the JSA in order to obtain the allocation of an own budget line and enable it to carry out its missions under satisfactory conditions (cf. 5.1). The control mission carried out its checks according to a methodology of which the essential features were : - working out provisional checklists ; - working out a questionnaire designed to obtain general information on the system and its components, its documentation, organization and about the composition of the technical medium's exploitation team (exploitation team of the C.SIS) ; - adaptation of the checklists to the specific features of the C.SIS on the grounds of the replies to the questionnaire and the documentation made available on site. The evaluation drawn up by the control mission could not be comprehensive, due the large number of documents that had to be examined on very short notice, the ban on taking copies of these documents away to study them off the Centre's premises, and the premature end of the mission. Its report therefore only affected aspects which were checked thoroughly enough to make a grounded appreciation possible with respect to the Convention and particularly to its article 118. * The checks related to the following points : a. General controls in order to determine whether the medium unit of the C.SIS has adopted, implemented and effectively continues to follow the adequate methods and procedures to make sure that its information technology resources offer a reasonable security assurance. - Management and organization - Organizational structure and compartmentalization of tasks - Standards, rules and procedures - Systems software - Exploitation of the equipment - Logical security at the levels of the operating system, the communications system and the database management system (Système d'Exploitation de la Base de Données = S.G.B.D.). - Audit systems in the operating systems, in the communication system and in the S.G.B.D. - Physical security (perimetral security and access control to the site and to the offices, control of the physical access to equipment and communication equipment). b. Specific controls to verify whether the C.SIS file and the functional aspects of the technical medium unit charged with its management comply with the Convention's provisions. - Integrity of the C.SIS and N.SIS files (article 92.2) - Content (data embedded in the database, authorities entering the data, unambiguous identification, validity indexes, existing dates) - Automatic deletion of data of a personal nature (112.3) - Interconnected countries (articles 117 and 118.1.f) - removable computer media (storage, labelling, inventory, transfer to the storage place and out of the monitored perimeter, erasing process on reusable media, disposal of non-reusable media) - data input (article 118.1. c and g) - transportation (article 118.1 h) * The control mission made several recommendations on the grounds of the evaluation of these general and specific controls. The control mission's report was examined by the JSA on November 8 and adopted on December 5, 1996 and was then sent to the Central Group and to the French authorities charged with the function of the technical medium and invited them to communicate their remarks, if occurring. On 11 February 1997, the JSA held its annual meeting at Strasbourg and visited the C.SIS for all of its members to observe the C.SIS in operation and to exchange information with the representatives of the Central Group and the members of the technical back-up unit. Taking into account the various findings and after having acknowledged the comments from the Schengen States, the JSA adopted the final report on the inspection on 27 March 1997. It found that various aspects of the Convention had been respected, namely: - the security measures to protect the buildings housing the C.SIS were satisfactory; - the database only contained data entered by the Contracting Parties in accordance with Articles 92 (3) and 113 (2); - the only personal data contained in the database was data provided for under Article 94 (3) of the Convention; - use of flags complied with Article 94 (4). On the other hand, the JSA found that the following five points deserved to be highlighted and that recommendations on them should be made: 1. The databases of the Contracting Parties to the Convention are not identical. A large number of disparities were detected between the databases of France and Luxembourg and those of other countries; these differences date back to April 1996 and have still not been rectified six months later. The procedure for detecting differences currently followed is inappropriate: it is too infrequent (approximately once every six months) and takes too long (several months) for existing differences between the databases to be swiftly detected and rectified. The explanations given for the differences brought to light by the procedure comparing the databases (differences in the design of the databases) implied that the provisions of 92 (2) had not been fully respected (due to the design); this being the case, the Contracting Parties’ databases could never be "materially identical" as required under this Article. 2. It was noted that the members of the technical back-up unit had decided to impose a certain level of security in the absence of any external audit assessing the security standard necessary for the computer system; it was also found that the technical measures necessary to safeguard this standard of security were not always applied and that the set rules were too vague and had not been properly issued. 3. Too many people were granted top priority (super user) enabling them to access and change the contents of any file in the computer system (operating system, database and network) and to erase any trace of their action. 4. Tracing functions to verify in retrospect the operations carried out by the users, regardless of priority (date, time, terminal, user ID, type of operation) are not satisfactorily applied. 5. It was found that security for the management and transport of the magnetic media containing the SIS data is lacking. The JSA has also made the following recommendations: 1. A full analysis of the differences detected in the N.SIS and C.SIS databases should be made and actions to rectify these differences swiftly should be proposed to avoid them recurring in the future. The procedure for comparing the databases should be modified so that the differences which might be contained in the national databases can be swiftly detected and rectified. 2. An ITSEM/ITSEC certification procedure should be applied and the recommended security measures taken; at least, the set standard of security should be guaranteed. 3. Restrict priority access to the system to a strict minimum as a "super-user" account means all types of operation on the data contained in the base may be carried out without any restrictions. 4. Routine activation of tracing functions to verify all operations carried out on the C.SIS in retrospect. 5. Routine use of encryption when data is to be stored on magnetic media. In conclusion, since Article 118 applies to each N.SIS and the C.SIS separately, the JSA insists on the need to follow up the inspection of the C.SIS with an inspection of each N.SIS on an identical technical basis so as to enable an overall assessment of whether all Schengen States respect the provisions of the Schengen Convention relating to the SIS. 4.1.5. The opinion on the pilot project related to stolen vehicles On February 10, 1997, the Central Group deferred a request for an opinion to the JSA which originated from Work Group I "police and security" and concerned the participation of countries not yet integrated to the SIS to a pilot project in the field of vehicle theft. Having noted that this project tended to enable countries not yet integrated in the SIS to consult the latter through the channel of their liaison officer, the JSA asked for complementary information on the nature of the information exchanged and the transmission mode thereof. These elements were communicated to the JSA, which delivered an opinion on March 7, 1997 and reminded that : - information concerning the make, type, colour and technical features of a vehicle was not regarded as data of a personal nature if there is no link between such information and the registration number, the owner or the driver of a vehicle; - the exchange of police information, stemming from national files, between contracting Parties integrated in the SIS and other States, where the Convention has not yet entered into force, comes under National legislation in the field of data protection and under the control of the National Control Authorities, through the channels and devices of bilateral or multilateral cooperation. However, with respect to directly or indirectly nominal information recorded in the SIS, the JSA judged that such data were not accessible and could not be consulted directly by authorities of contracting Parties on the territory of which the Convention has not yet entered into force, in accordance with articles 101 and 126.1 of the Convention. 4.1.6. The opinion on the cooperation agreement on the processing of traffic offences and the enforcement of penalties (fines) in that context On February 10, 1997, the Central Group deferred a request for an opinion to the JSA which originated from Work Group III "judicial cooperation" and concerned a proposal for an agreement on traffic offences. The first part of the text foresees the access to data and information occurring in the contracting Parties' car registration books, the second part a direct notification and cooperation system including the effective enforcement by each party/State of decisions stemming from an authority of another contracting Party, without prejudice to a number of cases restricting or ruling out the enforcement of a fine. This project is based on the common declaration of the ministers and State secretaries dated June 19, 1990, by the terms of which the contracting Parties commit themselves to initiate or resume discussions in various fields, among which proceedings in traffic offence matters and the mutual enforcement of penalties (fines) were referred to. It represents a distinctive international judicial instrument but is, however, complementary to the Schengen Convention, whereby reference is made to its Title VI, pertaining to the rules for data protection applicable when information which is not recorded in the SIS is exchanged. The JSA has examined the provisions for the protection of data stipulated by the agreement proposal and took an opinion on March, 27,1997, whereby it requests that the following principles be integrated or clarified : - the right of every person to have relevant data corrected or deleted when tainted with factual or with legal errors ; - the principle of cooperation between the National Control Authorities listed under article 128.1 in view of guaranteeing the rights of access, of correction or deletion ; - the JSA's competency to take an opinion on the common aspects of protection of data of a personal nature resulting from the implementation of the Agreement. 4.2. Current missions The main, ongoing assignments of the JSA are as follows: 4.2.1. The guide to people's rights with regard to the SIS The JSA established that the provisions of the Convention of Schengen for the protection of personal data and particularly for the right of access to the SIS were widely ignored and decided to work out a brochure, intended for the public, with the objective of informing people in a comprehensive way and supplying them with all the useful practical information. The JSA decided to allocate a part of its budget to the production of that guide in the course of the year 1997, in every language of the Schengen States, and to make it available to people in consulates, airports and various national administrations. 4.2.2. The interpretation of article 102.2, pertaining to technical duplication of data of the SIS Article 102.2 stipulates that the data recorded in the SIS "can only be duplicated for technical purposes insofar as this duplication is necessary for the direct query by the entitled National Authorities". Upon the request of the Belgian Commission of private life, the JSA initiated, in view of that article, a discussion on the interpretation of the notion of technical duplication for technical purposes and of direct query, particularly with respect to the computerized query mode referred to in article 92. It also started evaluating the consequences of CD-Rom duplication of an entire N.SIS or part thereof for purposes of a query by consular or diplomatic representations. The study of the conditions of enforcement of article 102.2 indeed raises questions related to the issues of updates of duplicated information and of the level of security of transmission towards departments located outside the territories of the contracting Parties. On the contrary of the stipulations of article 118.2, the JSA is still not registered as addressee of the particular measures taken to assure the security of data in this situation ; in the course of the year 1997, it will take an opinion on the practices followed by the Schengen States in view of enforcing article 102.2 and will propose a harmonized solution, compatible with the data protection rules set by the Convention. 4.2.3. The interpretation of article 103, pertaining to control of the admissibility of queries from the SIS The German delegation drew the attention of the other members of the JSA on difficulties which arose for the implementation of article 103 of the Convention, pertaining to the recording of every tenth transmission of data of a personal nature in every N.SIS by the instance charged with the file's management. Given that article 103 of the Convention does not distinguish between the different categories of signalled entries, the control of the admissibility of a query from the system should affect all categories (articles 95 to 100). The JSA is conducting a study of the various technical solutions adopted by each party/State for the observance of article 103 ; it will take an opinion on the interpretation of this article in the course of the year 1997 and recommend the adoption of a harmonized procedure. 4.2.4. The interpretation of article 102.1, pertaining to the principle of finality for the utilization of data from the SIS The German delegation also drew the JSA's attention on difficulties brought about, in view of article 102.1, by the storage of folders relevant to signalled entries after the execution thereof. As a matter of fact, article 102.1 forbids contracting Parties to use the data stipulated in articles 95 to 100 for other purposes than those listed for each of the signalled entries referred to by these articles. However, the central instance for the German part of the SIS stores records from the SIS in the National system of its criminal investigation department after execution of the search when it believes that these records concern criminals who operate on an international scale. The JSA will take an opinion on this very important issue with respect to the principle of finality of the data before the end of the year 1997. Chapter 5. Prospects From its experience and more specifically from the difficulties it had to face to assert its authority and independence and to carry out its missions under satisfactory material conditions, the JSA has learnt that a genuine transparency is vital between all Schengen instances if the Convention is to be implemented effectively. Moreover, the JSA believes that the objectives and scope of the Schengen Convention, the extension thereof through conclusion of complementary agreements, and the complexity of the control devices for data protection justify an effort of adequate information to the citizens. 5.1. Transparency in the relations between the Schengen instances Certain difficulties referred to in the present report could have been avoided should the Convention have been more explicit in its statements on the JSA's competencies and its budgetary autonomy. Subsequently, the JSA wishes to see three simple measures adopted by the Executive Committee, in order to finally solve the problems it stumbled on when trying to carry out its missions under satisfactory conditions. Information to the JSA about the Convention's functional aspects The enlightened exercise of the JSA's missions requires that it must receive information on a regular and systematic basis on the objectives pursued by the Schengen States, in particular when complementary agreements are being concluded, and on the functional aspects of SIS and its foreseeable technical evolution, e.g. the SIRENE phase II project. It must also become a formal addressee of the monthly reports pertaining to the exploitation of the C.SIS in order to be in a position to carry out its controls in the most effective way possible. Its various requests in that spirit were only answered by the case and mostly with a rather long delay. The JSA therefore insists that from this day the documents and information it needs be forwarded automatically. Completion of the protocol for the operation of C.SIS controls By the terms of article 115 of the Convention, the control of the C.SIS is carried out by the JSA in accordance with the provisions of the Schengen Convention, with those of the European Council's Convention of January 28, 1981, including observance of Recommendation R (87) 15 of the Ministers' Committee of the European Council, dated September 17, 1987, and in compliance with the National Law of the contracting Party responsible for the function of the technical medium. As a control of the C.SIS was carried out in the month of October, 1996, previously mentioned difficulties arose. The JSA acknowledges the genuine willingness to cooperate shown by the Central Group and the French Authorities for working out a protocol for the operation of C.SIS controls. The draft of this protocol was undertaken before the end of the year 1996 and pertains to the procedure to follow when informing the Schengen States and the French Authorities that a control will take place, to what the qualities of people entitled to proceed with it should be, to the title or level required to be entitled to access to classified documents, more specifically when stamped "confidential defence", to the opportunity to make copies of all useful documents, even if classified, and to the technical modifications that must be brought to the C.SIS to meet the requirements of control of the JSA experts. The JSA wishes to see this protocol adopted as soon as possible and expresses its concern to see one request taken into consideration most seriously : that a "user account" providing direct access (excluding the opportunity to modify data) to the operating system and to the databases be made available to the JSA. The final endorsement of the JSA's budgetary autonomy The principle of release of a budget line for the exercise of its missions was adopted by the Central Group (and finally endorsed by the Executive Committee in March 1997) : the JSA expresses its gratitude with the previously formulated reservations, however it also wishes to see the rise of the total amount of that budget approved so as to tally with the increasing number of its members. It also expects that the difficulties encountered in having its work documents translated in due time by the Schengen Secretariat will be solved in an acceptable way, so that the JSA will not be compelled to use otherwise allocated sums of money for external translation expenses of specific documents. 5.2. Transparency with respect to the citizen As classical international treaties concluded between member States of the European Community, the Agreement and Schengen Convention of Schengen have abolished border controls on their inner frontiers, without prejudice to accompanying measures, before the article 7 A of the Treaty of the European Communities entered into force, which was initially foreseen for January 1, 1993. This article established an area devoid of internal frontiers in which people would circulate freely. The objective of the contracting Parties, according to the initiators of the Schengen Convention and article 134, coincides with that of the Treaty of the European Communities, completed by the single European Act. On a long term, a Common Legislation and a new system (the European Information System -EIS-) should replace the Schengen Agreements and apply to the territories of all member States of the European Union. At present, the question may be raised whether the intergovernmental context —which has always prevailed between the contracting Parties and the European institutions— is strengthened by the extension of the Convention's initial boundaries beyond the territories of the European Union, or can this be seen as a step towards the integration of new States in the EU ? At any rate, it can be regarded as the expression of the success encountered by the "free Schengen area" and its counterpart of common measures for control purposes, among which the SIS. However the implemented extension and proposals for further agreements foresee additional exchanges of information, of which the consequences for the citizen cannot be assessed yet. About the extension of the Schengen Convention and the complexity of control devices of the rules for data protection On the grounds of the Common Declaration of the Ministers and Secretaries of State on June 19, 1990, a number of agreements complementary to but distinctive from the Schengen Convention indeed tend to extend the areas of cooperation between contracting Parties (stolen vehicles, traffic offences). When these exchanges do not give rise to an input in the SIS, the applicable rules for data protection are not defined very accurately and refer back to the National Law of each party/State in the majority of such cases, and particularly with respect to the rights of people. As a consequence thereof, the complexity of the control devices for the observance of these rules increases, and the risk of a lack of harmonization of their interpretation and of their enforcement arises. The JSA is not in a position to limit this risk effectively because its role is secondary, beside the SIS. In principle, the JSA can only be seized to take an opinion by one of the contracting Parties. The governments are free to set the objectives of their cooperation in the fields of police and justice, they have the competency to determine the control devices charged with monitoring the observance of their commitments. However, they must also inform the citizen on the liberties they have acknowledged him, assuring him the observance of public and individual freedom. Though at the level of Community Law a guideline was issued to harmonize national data protection laws, nothing similar was undertaken by the governments for police and judicial cooperation. The cooperation conventions such as Schengen and Europol are distinctive international legal instruments, devoid of judicial links with one another. They contain rules for data protection which were written independently, and people have no other choice but to explore a juridical maze if they wish to exercise their rights. In that aspect, the JSA wishes to develop a closer contact with the Joint Supervisory Authority of Europol as soon as it is established, so that common informative actions could be conducted. This contact could result from a separate agreement supplementing the Agreement and the Convention. This contact would be very useful to these Authorities : they would exchange their experience of the control of the observance of the rules for data protection, and they would bring the citizen a more global vision of the rights guaranteed to him in the context of the respective objectives of each convention. In this age of intense police and judicial cooperation, in which the creation of joint information systems speeds the transmission of information and the dissemination of new working methods such as distance control (non-admissibility, discreet surveillance) and prevention by means of analysing information, the legitimate concern for transparency vis-à-vis the citizen must be given priority, not just by the JSA and other joint and national supervisory authorities, but by the governments themselves.

stampa	chiudi