SECOND ANNUAL ACTIVITY REPORT

March 97- March 98

Contents

Preface

Chapter I : Introduction

Chapter II : The Joint Supervisory Authority and its Tasks

Chapter III: Activities of the Joint Supervisory Authority from March 1997 to March 1998

Chapter IV: Joint Supervisory Authority Opinions

Chapter V : Joint Supervisory Authority Action Programme

Preface

   The second annual report of the Schengen Joint Supervisory Authority (March 1997 to March 1998) covers a decisive and a crucially important period for police cooperation and the Schengen Information System at European level: the enlargement of the area of free movement to citizens from new member states, the strengthening of the joint security and police information system and Schengen´s integration into the European Union.

1997 saw recognition of the autonomy and confirmation of the importance of the Joint Supervisory Authority (JSA), as a body responsible for upholding the rights and freedoms of the individual, in particular vis-à-vis the protection of personal data.

The JSA examined a number of fundamental issues, thus effectively ensuring that the Schengen Information System operates in line with the rules and rights laid down in the Schengen Convention. This is reflected in the JSA´s analysis of Italy and Greece´s data protection laws, its recommendations and opinions on the security requisites for processing and transmitting personal data, the amount of time this data may be kept, alerts on usurped identities and the transmission of certain categories of data to Interpol.

The JSA´s important role was recognized by the Schengen decision-making bodies: it was granted its own budget under a separate budgetary heading, it began to receive on a more regular basis the information it required in order to carry out its duties, and it was asked to deliver opinions on a range of different topics. The successive presidencies (Portugal, Austria and Belgium) have attributed ever increasing importance to the JSA.

In line with our plan of action, during this period the JSA has made significant progress towards achieving greater transparency in the way the system works and in providing information to the public.

The JSA announced its previous annual report at a press conference in Lisbon in April 1997, sent it to the European institutions and Schengen authorities, the national authorities submitted it to their respective parliaments, the conclusions were published in various different editions and can be found on the Internet pages of several data protection authorities.

The JSA did not hesitate to alert when appropriate the relevant authorities and public opinion to the security problems which came to light after information was leaked by one of the SIRENE bureaux. At the same time, it decided to launch a joint information campaign with the competent national authorities focusing on the rights of the individual vis-à-vis the Schengen Information System.

When developing the European police intelligence systems (Europol, Eurodac and the customs system) and strengthening the means of cooperation to combat large-scale organized crime, it is important to improve the mechanisms for cooperation between the joint supervisory authorities which are responsible for safeguarding, in each of these systems, the basic tenets of freedom and citizenship. The JSA will endeavour to foster this cooperation and will continue to count on the support it has received from the national data protection authorities in order to do so.

The integration of Schengen into the European Union, as provided for in the Treaty of Amsterdam, will give an added boost to the transparency of Schengen. European legislation will be enhanced by the provisions on personal data protection laid down in the Schengen Convention. The Schengen acquis that is integrated into the European Union will also include the main recommendations made by the JSA in this area and will determine the role which the JSA is called on to play.

The JSA will plan its future activities and give of its best, with a view to creating a secure area within Europe in which freedom is assured.

March 1998

The Chairman

João Labescat 

CHAPTER I : INTRODUCTION

In its first annual report, the Joint Supervisory Authority recalled the stages negotiated by the five States which first signed the Schengen Agreement in 1985, up to the signing of the Convention implementing the Schengen Agreement in 1990 and its subsequent implementation in March 1995. It also described how, during this period, the five signatory countries were joined by ten others, which also wished to participate in this area of free movement of persons.¹

It also outlined the compensatory measures provided for in the Schengen Convention to ensure that the aim of abolishing controls at the internal borders of the Member States, thus creating an area of free movement of persons, could be achieved whilst maintaining within that area at least the same level of security as before. Please find below a brief reminder of those compensatory measures.

The compensatory measures accompanying the abolition of controls at the internal borders provided for in the Convention include harmonization of visa policy, a common policy towards asylum seekers, an improvement in police and judicial cooperation, stronger measures to combat drugs trafficking, harmonization of controls at the external borders of the Schengen territory and the creation of a Schengen Information System (SIS).

The latter links up all the countries already implementing the Schengen Convention and enables its users (police authorities, embassies and consulates etc.) to gain immediate access to the information they require, regardless of which Schengen State originally entered the data.

The system contains information on individuals (those wanted for extradition, non-admissibles, missing persons, persons to be placed under discreet surveillance) and objects (vehicles, arms, documents and banknotes, stolen, missing or forged).

The creation of the SIS was accompanied by the establishment of a Joint Supervisory Authority with responsibility for monitoring the protection of personal data and, in particular, for ensuring compliance with the provisions of the Convention relating to the SIS technical support function (Article 115). The Convention also entrusts the Joint Supervisory Authority, which is made up of two members of the national supervisory authority of each Member State, with an advisory role and with the task of harmonizing legal practice and interpretation at national level.

Since the implementation of the Convention, the Schengen Joint Supervisory Authority has had to fight for recognition of its rights and independence from the Schengen decision-making bodies.

This is evident from the first annual report, in which the Joint Supervisory Authority stressed in particular the difficulties it had met with in trying to obtain its own budget, and the obstacles encountered by the group of experts designated by the Joint Supervisory Authority to carry out checks on the central part of the SIS (C.SIS) in Strasbourg.

When this report was finalized, more than one year after the C.SIS inspection, the JSA still had not received a response to its recommendations from the Schengen decision-making bodies, the only reply to have been received stemming from the French Ministry of the Interior. It was not until February 1998 that the JSA received part of the information on the C.SIS it requires to perform its tasks.

Despite the fact that some headway has been made, there still remains a great deal to be done. Although the inspection visit by the JSA to the C.SIS in Strasbourg in 1996 showed that the system on the whole worked well, it also brought to light a number of problems, some of which pose major difficulties as regards integrity.

The problems highlighted by the JSA acquire even greater significance given the fact that the number of States implementing the Convention rose from 7 to 10 at the end of 1997. This has led to a growth in the volume of data entered in the SIS.

Police information systems, including that of Schengen, are constantly evolving. This process must be accompanied by an increase in the role of the respective national supervisory authorities. The integration of the Schengen acquis into the European Union, provided for in Article 7 of the Protocol to the Treaty of Amsterdam, means greater transparency and further guarantees for the fundamental rights of the individual. The national parliaments and the European institutions will have an active part to play in ensuring that these objectives are met.

CHAPTER II : THE JOINT SUPERVISORY AUTHORITY AND ITS TASKS

In addition to its main responsibility, one which it alone is allowed to discharge (Article 115 (2)) i.e. supervision of the technical support function to the SIS, the JSA has been assigned an advisory function and the task of harmonizing legal practice and interpretation at national level.

The Convention implementing the Schengen Agreement lays down the tasks of the JSA in the following articles:

Article 106 (3):

The JSA delivers an opinion in the event that two Contracting Parties cannot reach agreement with regard to data contained in an alert that has been entered incorrectly or unlawfully. The Contracting Party which did not enter the alert has the duty of submitting the case to the JSA.

Article 115 (3):

The JSA analyses problems relating to implementation or interpretation which may arise in connection with the operation of the SIS; it looks at the problems which may arise with regard to the implementation of independent supervision by the national authorities of the Contracting Parties.

The JSA examines the problems which may result from exercising the right of access to data contained in the system;

At a more general level, it drafts harmonized proposals aimed at resolving existing problems.

Article 115 (4): 

The JSA reports to the same bodies as the national supervisory authorities.

Article 118 (2):

The JSA is informed about the special security arrangements made by each Contracting Party for transmitting data to bodies or departments located outside the territories of the Contracting Parties.

Information exchange outside the framework of the SIS:

Article 126 (3) (f):

The JSA is authorized to deliver opinions at the request of the Contracting Parties on the problems that arise in applying and interpreting Article 126 in relation to the processing of data transmitted outside the framework of the SIS for the purpose of implementing the Convention.

Article 127 (1):

The JSA may, in accordance with the conditions and provisions specified in Article 126 issue an opinion on the transmission of data from and the entry of data in a non-automated database.

CHAPTER III : ACTIVITIES OF THE JSA FROM MARCH 1997 TO MARCH 1998

Between March 1997 and March 1998 the JSA held 10 plenary meetings. All of these were held in Brussels, apart from the JSA annual meeting in Lisbon in April 1997, which was also attended by the Chairman of the Executive Committee. In addition to these plenary meetings, the JSA held five select meetings to draw up ´draft opinions´ on specific problems, write its annual report and consider future arrangements for C.SIS inspections. Moreover, on three occasions several of its members met representatives from the French Ministry of the Interior, in its capacity as the body in charge of the C.SIS technical support function. One of these meetings was attended by a Troika of the Schengen Presidencies, inter alia to take stock of the situation regarding the follow-up to the JSA´s recommendations after its inspection of the C.SIS.

It should also be borne in mind that since the JSA meeting on 7 March 1997, Sweden, Denmark, Finland, Norway and Iceland have attended JSA meetings as observers pursuant to the decision taken by the Authority in Strasbourg at its meeting of 10 and 11 February 1997.

The following issues have been dealt with in the course of these meetings: 

1. JSA

JSA membership

The JSA acknowledged the Greek and Italian personal data protection laws. This is one of the conditions which have to be met before any personal data can be entered in the SIS (Article 117), and is therefore a prerequisite for the Convention to be implemented in the territory of the Contracting States.

The JSA amended its rules of procedure² in order to grant JSA member status to the representatives of the national supervisory authorities of the countries which have acceded to the Schengen Convention, as soon as all the other conditions have been met and the Convention has been brought into force on their territory.

On the basis of this criterion, at its meeting on 12 December 1997, the JSA decided that representatives from the Italian, Austrian and Greek national supervisory authorities could, henceforth, participate in its meetings as JSA members.

Election of Chairman and Vice-Chairman

The JSA elected Mr J Labescat (Portugal) as Chairman on 12 December 1997 and Mr B de Schutter (Belgium) as Vice-Chairman on 3 February 1998.

Separate budgetary heading for the JSA

After lengthy substantive discussions, the JSA budget for 1997 was finally approved by the Schengen decision-making bodies. The version approved by the Executive Committee on 25 April 1997 was then amended to take account of the increase in the number of countries represented at JSA meetings.

The JSA budget for 1997 was set at BEF 2 839 950. The JSA closed its accounts for the 1997 financial year on 12 December 1997. The accounts revealed a credit balance of BEF 992 179 from the total budget of BEF 2 839 950 allocated to it. Expenditure went on producing the leaflet on the right to access, drafting, translating and printing the first annual report, holding the JSA annual meeting in Lisbon and on purchasing various items of equipment.

On the basis of 1997 expenditure, and bearing in mind the activities scheduled for the JSA in 1998, the Central Group approved the budget for 1998 on 23 February 1998. This budget amounts to BEF 3 239 950.

JSA secretariat

The JSA has on several occasions asked for the logistical means at its disposal to be increased and for priority to be given to JSA translations over working group documents.

The JSA has also asked for thought to be given to the possibility of it having a separate secretariat, since the ever-growing number of Schengen working group meetings affects the preparations for JSA meetings.

Moreover, the JSA has noticed that the staff in the General Secretariat give priority to preparations for Central Group or Executive meetings. To a certain extent this problem has been solved by awarding the JSA its own budget, inter alia to cover the translation costs of its annual report. On 23 February 1998, the Central Group agreed to step up the administrative support given to the JSA.

This is indeed a welcome development, as the JSA believes it cannot cope with the increasing workload unless it is able to count on the support of the General Secretariat, or unless the Secretariat at least gives the JSA priority over its own ork. The JSA also believes that the current secretariat, which has been assisting the JSA since the Convention was drafted, is the best placed to lend support.

2. Matters dealt with by the JSA

JSA opinions

The JSA has adopted several opinions, listed below in Chapter IV.

C.SIS inspection

The definitive version of the confidential technical report on the inspection of the C.SIS carried out in October 1996, which included comments from the French Ministry of the Interior, was adopted. A draft version of this report was sent to the Chairman of the Central Group, whilst the definitive version was sent on 22 April 1997 to the Chairmen of the Executive Committee and the Central Group for onward transmission to the relevant technical groups.

The latter were asked to check to what extent the recommendations on securing the SIS made by the JSA could be acted upon. Almost two years after the inspection, the official Schengen bodies still have not informed the JSA of the action they intend to take further to its recommendations.

Provisions for JSA inspections of the C.SIS

The abovementioned draft conditions governing future inspections of the C.SIS were examined during the year. At the meeting of 12 December 1997, the majority of the members of the Joint Supervisory Authority agreed that the draft conditions, which had been drawn up over the course of several meetings between the representatives of the French Ministry of the Interior and the JSA, ignored the independent status of their Authority.

As a result, it was decided that a select group would be appointed to deal with this delicate matter and to come up with a new document taking account of the security requirements set by the French Ministry of the Interior and also the need for the JSA to carry out their controls independently.

A new version was drafted by a select group of JSA members on 2 February 1998, to be approved at the plenary meeting of 6 March 1998. It will act as a new basis for discussions with those concerned.

Security at the SIRENE bureaux

Following the discovery that confidential information, notably SIS information from SIRENE Belgium³, was being traded, the JSA, having been immediately informed, adopted a press release at its meeting on 12 December 1997. This was distributed that same afternoon to the news desks and submitted to the Executive Committee on 15 December 1997.

In this press release, the JSA expressed its alarm at the incident, which dramatically demonstrated the need to constantly improve security measures governing the SIS (Schengen Information System) and the exchange of Schengen information.

The JSA requested that all national supervisory authorities immediately :

• report to the JSA on the specific security situation regarding both their SIS and their SIRENE bureau;
• determine, on the basis of those reports, what measures should be taken to step up security;
• ascertain the need for a standard annual report on the security situation;
• report on this matter at its next meeting.

The JSA went on to stress the importance of being kept informed at all times of security measures taken by the Schengen bodies and the national authorities with a view to ensuring the confidentiality of the Schengen Information System.

Several national supervisory authorities have since carried out inspections. Compilation of the first national reports is currently underway.

Annual report 

In 1997 the JSA drafted its first annual report. An initial draft was examined by the members on 7 March 1997 and approved on 27 March 1997. The structure for the second JSA annual report was approved on 3 February 1998. A draft text was discussed in a select drafting committee on 25 February 1998 and later approved by the JSA meeting of 6 March 1998. The report was then approved via the written procedure.

On 22 and 23 April 1997, the Joint Supervisory Authority held its annual meeting in Lisbon. The JSA annual report was presented to the Central Group representative at the meeting and distributed to the journalists who attended the press conference.

The press conference was attended by various Portuguese journalists from television, radio, major daily newspapers and Portuguese news agencies, as well as several foreign journalists, in particular from the EFE Agency (Spain) and Reuters (GB). In addition, further publicity was given to the JSA meeting and the presentation of the annual report in other periodicals.

The most pertinent issues for the media were the definition of the duties of the JSA, its role within Schengen, the functioning of the SIS, the type of data it contained and means of access, as well as general information on the Schengen Convention.

The report was distributed by the national supervisory authorities using the same channels as for their national reports, as well as by Internet in some cases. In some countries press conferences were held to present the document and to heighten public awareness of the JSA.

Transparency vis-à-vis the public

In a move aimed at fulfilling its obligation to inform the public, the JSA decided to publish a leaflet explaining the rights of individuals who were the subject of information entered in the SIS.

On 12 December 1997, the Joint Supervisory Authority adopted the definitive version of the text outlining the individual’s right of access to SIS information which concerns them and selected one of the designs submitted by one of the advertising agencies it had consulted.

This text, which is annexed hereto, comes in the form of an information leaflet and will be distributed to the authorized crossing points at Schengen’s external borders. Posters will be put up to inform the public that these leaflets are available.

The success of this initiative will hinge on how well the documents are distributed. The JSA is therefore counting on the support of the national supervisory authorities, the Schengen bodies and the competent national authorities.

Information for the JSA

In April 1997, at the request of the Joint Supervisory Authority, the Central Group asked the C.SIS and Management Unit to make their monthly reports available to the JSA. The JSA felt it necessary to have these documents to ensure that the rules governing personal data protection were being upheld.

On 7 May 1997, the Chairman of the Central Group sent a letter to the Chairman of the Permanent Working Party and to the head of the French delegation, responsible for the C.SIS, calling on them to enforce the decision of the Central Group. Although the C.SIS reports have been sent to the JSA on a regular basis, the same cannot be said for the Management Unit, which only began sending its reports on 6 March 1998.

Relations between the JSA and the Schengen authorities

On 16 June 1997, a meeting was held in Brussels between representatives from the JSA and the Central Group and the French Ministry of the Interior, which is responsible for the C.SIS technical support function.

The representatives of the JSA were given an update on the situation regarding loading of real data for Italy, Greece and Austria in the SIS. Details concerning the capacity of the SIS to cope with these three new countries were also provided.

The question of the follow-up to the confidential report on the inspection of the C.SIS was also broached, and the participants approved the proposal tabled by the French Ministry of the Interior that they draft, in consultation with the representatives of the JSA, a protocol defining future JSA inspection visits to the C.SIS. Details of JSA budget appropriations were given, and the JSA opinion 97/1 on copying some of the SIS alerts was officially presented.

The principle of regular meetings between the JSA and the Central Group, possibly alongside their normal scheduled meetings, was also accepted. Such meetings could pave the way for better information exchange between both these authorities.

On 4 March 1998, at the invitation of the Belgian Presidency, a JSA delegation duly took part, for the first time, in a Central Group meeting, preceded by a visit to the C.SIS.

This meeting provided scope for mutual information exchange: the JSA presented its work programme and restated the duties devolved upon it by the Convention; in return, it received technical explanations on SIS development.

The JSA and the Central Group undertook to step up mutual information and to engage in closer cooperation in future. The JSA would thus have the opportunity to monitor certain stages of the work on the SIS, enabling it to ensure that its recommendations, on the system’s security in particular, were taken into account for the future.

CHAPTER IV : JOINT SUPERVISORY AUTHORITY OPINIONS

 On examination by the Joint Supervisory Authority, it emerged that several of the opinions under scrutiny required additional information. This explains why some of the opinions mentioned below already appeared in the first annual report. Furthermore, the first two opinions included here, approved in March 1997, can also be found in the previous report. The opinions are briefly summarized below and reproduced in their entirety in the annex to this report.

1. Opinion of 7 March 1997 on the "trafficking of stolen vehicles" pilot project - Working Group I on Police and Security (SCH/Aut-cont (97) 22 rev)

On 10 February 1997, the Central Group sent the JSA a request from Working Group I on Police and Security for its opinion on the participation of countries not yet integrated into the SIS in a pilot project on stolen vehicles.

Having noted that this project tended to enable countries not yet integrated into the SIS to consult the system via their liaison officers, the JSA asked for additional information on the nature of the information exchanged and the means used to transmit it.

This information was communicated to the JSA, which delivered an opinion on 7 March 1997, in which it pointed out that: 

• information on the make, type, colour and technical features of a vehicle is not in itself regarded as data of a personal nature if there is no link between such information and the registration number or the owner or the driver of the vehicle;
• the exchange of police information from national files between Contracting Parties integrated into the SIS and other States where the Convention has not yet been implemented, via channels for bilateral and multilateral cooperation, is subject to national data protection legislation and under the control of the national supervisory authorities,

However, the JSA took the view that directly or indirectly personalized data recorded in the SIS should not be accessible and could not be consulted directly by the authorities of Contracting Parties on whose territory the Convention had not yet been implemented, in accordance with Articles 101 and 126 (1) of the Convention. 

This opinion was communicated to Working Group I, which took it into account in implementing its project. Other pilot projects, such as the pilot project on drug routes currently in preparation, should also bear it in mind.

2. Opinion of 7 March 1997 on the Cooperation Agreement on the processing of road traffic offences and the enforcement of financial penalties in respect thereof (SCH/Aut-cont (97) 19 rev).

On 10 February 1997, the Central Group sent the JSA a request from Working Group III on Judicial Cooperation for its opinion on a proposal for a draft Cooperation Agreement on road traffic offences. 

The text provides for access to information and data in the Contracting Parties´ vehicle registration files and for a system of direct notification and cooperation, as well as for the actual enforcement by each Contracting State of decisions from an authority of another Contracting Party, without prejudice to specific cases which restrict or rule out the enforcement of a fine. 

This project is based on the Joint Declaration of the Ministers and Secretaries of State of 19 June 1990, in which the Contracting Parties undertake to initiate or continue discussions in various fields, including proceedings for road traffic offences and the reciprocal enforcement of fines.

While the Agreement constitutes a separate international legal instrument, it also complements the Schengen Convention, and reference is made to Title VI of the latter on the rules governing data protection when exchanging information not recorded in the SIS. 

Having examined the provisions on data protection laid down in the draft Cooperation Agreement, the JSA delivered an opinion on 27 March 1997 requesting that the following principles be incorporated or clarified: 

• the right of every person to have data containing factual or legal errors corrected or deleted;
• the principle of cooperation between the national supervisory authorities listed under Article 128 (1) with a view to guaranteeing the rights of access, correction or deletion;
• the JSA´s powers to issue an opinion on the common aspects of protection of personal data resulting from the Agreement’s implementation.

This opinion was sent to Working Group III which consequently adapted its draft opinion. 

3. Opinion 97/1 of 22 May 1997 on copying SIS data (SCH/Aut-cont (97) 38 rev)

Article 102 (2) stipulates that data recorded in the SIS may only be copied for technical purposes, provided that such copying is necessary so that the authorities referred to in Article 101 can carry out a direct search.

At the request of the Belgian Committee responsible for issues relating to personal privacy, the JSA initiated a discussion in regard to this Article on how to interpret the phrases "copying for technical purposes" and "direct search", particularly with reference to the automated search procedure mentioned in Article 92.

The JSA also started assessing the consequences of CD-Rom duplication of an entire N.SIS or part thereof for the purpose of searches by consular or diplomatic representations.

The review of the conditions for implementing Article 102 (2) raised questions related to the updating of duplicated information and to the level of security of transmission to offices located outside the territories of the Contracting Parties.

Consequently, the JSA proposed a co-ordinated solution which is compatible with the rules governing data protection laid down by the Convention.

In Opinion 97/1, it pointed out that whatever means were used by the diplomatic missions and consular posts of certain Schengen States abroad to search SIS data pursuant to Article 96 of the Schengen Convention, the following rules had to be observed :

• The methods and means of duplication should guarantee that data is identical, in real time, to data processed at the C.SIS.

• At least the level of protection required in Article 118 (1) of the Schengen Convention and especially its subparagraphs b), d) and f) should be guaranteed and the provisions of Article 118 (3) of the Schengen Convention should be observed.

• The programme on which they are based should enable data to be recorded in accordance with the provisions of Article 103 of the Schengen Convention;

These records should be returned to the Schengen State every six months and made available to the national supervisory authority provided for under Article 114 of the Schengen Convention, by the body with central responsibility for the national section of the SIS provided for under Article 108 (1) of the Schengen Convention.

In the event that duplication aids are used which entail the risk that the data will not be identical, the JSA urged that the Contracting Party assumes its responsibility, as provided for in Articles 92 (2) and 116 of the Convention, as follows : 

• where an alert exists for an individual in the duplicated aid used, the Contracting Party shall carry out a real-time check (network, telephone, Fax) to confirm the accuracy of this information;

• where no alert exists for an individual in the duplicated aid used, the Contracting Party shall accept responsibility in the event that an alert is issued for the same individual in the space of time between the duplication of the data and real time. This responsibility may be relinquished only if there is proof of a real-time check at the time of the visa application.

On examining this matter, the JSA found that, contrary to the provisions of Article 118 (2), it had not been advised of the specific measures taken to ensure data security in such cases. 

On 6 December 1996, therefore, the JSA asked the Central Group to provide it with details of the measures taken by the Schengen States to comply with Article 118 (2) of the Convention.

At the time of writing, the JSA is still awaiting this information, which it will use to check whether the measures being implemented in the States comply with its interpretation of the Convention.

4. Opinion 98/1 of 3 February 1998 on archiving documents after alerts have been deleted (SCH/Aut-cont (97) 55 rev 2).

The JSA´s attention was also drawn to difficulties arising in connection with Article 102 (1) from the retention of documents on alerts after their deletion.

In fact, Article 102 (1) prohibits the Contracting Parties from using the data stipulated in Articles 95 - 100 for purposes other than those laid down for each type of alert referred to in those articles.

However, the national police departments in certain Contracting Parties keep documents relating to alerts even after alerts issued pursuant to Article 95 (f) of the Convention have been deleted and use them to compile criminal files.

For this purpose the police authorities invoke provisions in national data protection law (see Point 2.1.3. b of the SIRENE Manual) and the provisions of Title VI of the Convention. 

The JSA considered this matter to be extremely important in relation to the purpose for which alerts were used. In its opinion of 3 February 1998, the Joint Supervisory Authority pointed to the fundamental principles and rights laid down in the Convention with regard to data protection, and in particular to the following :

1. data may be supplied and used solely for the purposes laid down for the alert itself (Article 102(1) and Article 94(1) of the Convention). A derogation from this general principle may only be made if it is necessary in order to avert an imminent serious threat to public order and safety or for compelling reasons of national security or for the purpose of preventing the commission of a serious offence (Article 102(3)).

2. Any use of data which does not comply with Article 102 (1 to 4) shall be regarded as misuse (Article 102(5)).

3. Pursuant to Article 112 of the Convention, personal data saved in the Schengen Information System for the purpose of locating persons shall be stored no longer than is necessary for the intended purpose.

4. These basic principles shall apply by way of a complementary interpretation of legally binding texts to all types of data processing relating either directly or indirectly to alerts in the Schengen Information System.

The Joint Supervisory Authority therefore believes the following measures should be taken :

1. after an alert issued for the purpose of locating an individual has been deleted, every Contracting Party to the Schengen Convention shall, pursuant to Article 112 of the Convention, destroy all its accompanying documents immediately.

b. the Schengen bodies shall revise the SIRENE Manual with a view to deleting the provisions under 2.1.3 b) which contravene the Schengen Convention.

5. Opinion 98/2 on entering an alert in the Schengen Information System on individuals whose identity has been usurped (SCH/Aut-cont (97) 42 rev 2)

In cases of impersonation, alerts for persons who have usurped someone else’s identity are entered in the SIS in certain countries under the name of the person who has been impersonated.

In other words, the system contains an alert with an identity which corresponds neither de facto nor de jure to the real identity of the wanted person, and the identity of the person who has been impersonated is entered in the SIS without this person receiving any prior notification.

Some States are in favour of a procedure whereby personal data relating to persons who have been impersonated should be deleted immediately, whereas other States argue that the alert containing the usurped identity should be retained even if the person whose identity was incorrectly entered in the SIS requests that this data be deleted. The argument put forward by those in favour of maintaining the alert is that the impersonator must be found. 

The JSA has examined the problems encountered as a result of the misuse of aliases by individuals who are the subject of an alert in the SIS in the light of the principles governing data protection laid down in the Schengen Convention. It has reiterated the following fundamental rights and principles with regard to data protection:

a. The data may be supplied and used solely for the purposes intended for each alert (Articles 102 (1) and Article 94 (1)); any derogation from this rule shall be exceptional and justified by the need to prevent an imminent serious threat or a serious offence (Article 102 (3)).

b. Any use of data which does not comply with paragraphs 1 to 4 shall be regarded as misuse (Article 102 (5)).

c. The right of an individual who finds that data relating to their person is factually or legally inaccurate to have this information corrected or deleted (Article 110 (1)).

d. The right of an individual to bring an action before the courts or the authority competent under national law to correct or delete data in an alert concerning them (Article 111 (1)).

e. The right of an individual to ask the supervisory authorities to check data in an alert concerning them (Article 114 (2)).

The JSA, taking due and balanced account of the rights as laid down in the Schengen Convention of the person whose identity has been usurped and the need to detect the impersonator hereby delivers the following opinion :

1. Entry of data in the SIS on individuals whose identity has been usurped shall be governed by national law, unless more stringent conditions are laid down in the Schengen Convention (Article 104 (1)).

2. The Contracting Party issuing the alert shall guarantee that data is entered solely for the specified purposes and that it is up-to-date and correct (Article 102 (1), Article 106 (1), Article 110, and the provisions relating to data protection laid down in the Council of Europe Convention (No. 108), inter alia those contained in Article 5, which are binding on the Schengen States).

3. The Contracting Party issuing the alert shall guarantee the right to correction or deletion of the data stored, in accordance with the procedure laid down in Article 106 of the Schengen Convention.

4. The question as to whether an alert on an individual whose identity has been usurped should be kept in the SIS should be evaluated in accordance with the proportionality principle, with consideration given on the one hand to the rights of the person whose identity has been usurped and on the other to the need to detect the impersonator.

5. In the interim period until the SIS II is brought into service, an appropriate, and if possible, joint solution should be sought and adopted so as to indicate that the alert is on a usurped identity. The JSA would be willing to cooperate to help find a solution of this nature.

6. Opinion 98/3 on the possibility of linking the Schengen Information System and the "Interpol ASF⁴ - stolen vehicles" project (SCH/Aut-cont (97) 50 rev 2)

This proposal, outlined in a note from the SIS Steering Committee, involves transmitting SIS data in respect of individuals and stolen vehicles, and at a latter stage other categories of data, to an Interpol database. 

The JSA restated many of the Schengen Convention’s principles, gave its opinion on Schengen’s "stolen vehicles" pilot project and, focusing solely on the protection of personal data, issued the following opinion:

1. Information and personal data contained in the Schengen Information System cannot be transmitted to Interpol in connection with the ASF - stolen vehicles project without breaching the provisions of the Convention, and in particular Articles 101, 102, 118 and 126.

2. Information on the make, type, colour and technical features of the vehicle is not personal data as such within the meaning of the Schengen Convention.

3. The transmission of information to Interpol as part of the ASF - stolen vehicles project does not breach the provisions on the protection of personal data contained in the Convention, insofar as the data cannot be linked to the identity of the person connected with the vehicle.

4. Police exchanges of information on stolen vehicles, taken from national files, are governed by the relevant national legislation, and more specifically legislation on data protection. 

7. Opinion 98/4 on the interpretation of Article 103: checking whether SIS searches are acceptable or not (SCH/Aut-cont (97) 70 rev)

The JSA’s attention was drawn to the difficulties encountered in implementing Article 103 of the Convention, in relation to the recording of every tenth transmission of personal data in the national section of the Schengen Information System by the authority responsible for the data file.

Taking into account that the Schengen Information System (SIS) is an automated search system which requires effective protection from unauthorized access by third persons, the JSA concluded that logging a representative average number of times the system is consulted constitutes an appropriate means of preventing unauthorized access.

The JSA has conducted a study of the various technical solutions adopted by each Contracting State to comply with Article 103.

It found that the Contracting Parties interpret differently the requirement laid down in the Convention i.e. that every tenth transmission of personal data be recorded in the national section of the Schengen Information System by the authority responsible for the data file for the purpose of checking whether the search is acceptable or not (Article 103).

The JSA issued an opinion on the interpretation of this article with a view to harmonizing the Contracting Parties’ approach. 

The Joint Supervisory Authority considered that recording as laid down in Article 103 of the Schengen Convention should comply with the following minimum requirements :

1. The log must be sufficiently representative of all consultations, regardless of whether the outcome was a hit or a negative response. The minimum requirement of 10 per cent can also be met by recording at regular intervals.

2. The most important elements for appropriate logging are as follows:

a. biographical data transmitted on the person on whom the search is run,

b. identification of the terminal or the authority which carried out the search, ensuring that all the necessary measures are taken to enable the user to be identified,

c. place, date and time of the search

d. grounds for consultation, e.g. the legal basis for the alert.

3. In addition, the following are also desirable for checking the admissibility of data searches in individual cases: the reference number or police day book number, if this exists, used for locating the relevant file.

The data shall be used solely for the purposes laid down in Article 103.

The recorded data shall be deleted within six months.

The JSA insisted that the requirement laid down in Article 103 of the Convention be taken into account in accordance with its opinion.

Chapter V : Action programme 

The action programme put forward by the Chairman of the JSA for the first half of 1998 was adopted on 3 February 1998.

This programme aims to strengthen the JSA’s role within Schengen, outlines its priority measures aiming to guarantee data protection and recommends greater cooperation between the Schengen bodies.

The JSA will continue to act in an advisory capacity and will pursue its task of harmonizing national legal practices and legal interpretations by continuing to issue opinions. It will see to it that the opinions it has adopted have been adequately publicized by the Central Group - failing this, it will reach an agreement on publication of its opinions.

Special attention will be paid to the measures taken by the Schengen decision-making bodies in response to JSA opinions and recommendations, in particular where C.SIS security is concerned. Indeed, although both Schengen Presidencies in 1997 instructed the technical groups to examine the JSA’s recommendations, the JSA feels that this issue has not yet been accorded the priority it deserves.

The JSA would like the Schengen bodies to inform it very quickly of the action they intend to take further to its recommendations. This applies in particular to the JSA’s request for a special user account to facilitate checks.

While the proposed user account would not provide the facility to make changes, it would give the JSA direct access to the operating system and databases, thus making it easier to carry out C.SIS checks.

Security in the Sirene Bureaux will be subject to special inspections in all countries in the future, followed by a final report.

The JSA will see to it that the leaflet on the individual´s right of access to SIS data which concerns them is distributed to the authorized crossing points at the external borders of the Schengen area.

The JSA will strengthen its ties with EU representatives, pending the integration of the Schengen acquis into the Union, in particular by participating in the definition of its acquis. This issue will be crucial for the development of European police systems.

At its press conference in Brussels on 28 April 1998, it will present its annual report to the general public and to the press.

On 30 June 1998, it will hold a colloquium in Lisbon on the topic of individual rights vis-à-vis police information systems, based on the Schengen model.

Declaration of the JSA Observer States

"Having observer status in the JSA, the Nordic countires share the concerns of the full members as expressed in the annual report. They also share the main viewpoints expressed in the opinions referred. Among other things, it is of greatest importance that the advice and opinions given is observed and respected by the central as well as the national bodies in the Schengen system.

The presence of the Nordic national data and privacy protection commissions in the JSA is of utmost importance in the efforts aiming at ensuring common, public acceptance and support of the important work done in accordance with the Schengen Convention. The Nordic observers are of the opinion that the JSA may need to have its economic resources strengthened in the future. They see an immediate need to further strengthen the administrative capacity of the secretariat but will also not exclude the need for more formal authority."

I. JOINT BODIES RESPONSIBLE FOR IMPLEMENTING THE CONVENTION

The Contracting Parties created the following two bodies for the purpose of implementing the Convention :

• The Executive Committee, consisting of the ministers responsible for applying the Convention in the respective Schengen States. The task of the Committee is to ensure that the Convention is correctly implemented. It also possesses special powers (Article 131).

• The Joint Supervisory Authority (JSA), which consists of two representatives from the national control authority in each of the respective Schengen States. It has the task of ensuring that the provisions of the Convention relating to the technical support function of the SIS (Article 115) are correctly applied. It also possesses more general powers in the area of data protection.

In addition to these two bodies, there is the Central Group, which oversees a Steering Committee and a number of working groups, some of which were set up directly pursuant to the Convention⁵.

Administrative support for the Schengen committees and groups is provided by the General Secretariat of the Benelux Economic Union, which is based in Brussels.

An organogram is annexed to this report.

II. OBJECTIVES AND ARCHITECTURE OF THE SCHENGEN INFORMATION SYSTEM

Title VI of the Schengen Convention is devoted entirely to the Schengen Information System (SIS). 

Article 93 of the Convention stipulates that the purpose of the SIS is to use the information provided via the system to safeguard public order and security, including national security, and ensure that the provisions contained in the Convention with regard to the movement of persons are applied.

Information recorded

Article 94 contains a detailed list of categories of data that can be stored in the system. The purposes for which alerts may be entered are given in Articles 95 to 100.

The above categories relate to persons, objects and vehicles.

• Data on persons may include marital status, possible aliases and any specific and objective physical characteristics not subject to change; data may also indicate whether a person is armed or violent and what steps are to be taken if the person is discovered.

·         "Sensitive" information, e.g. concerning racial origin and political, religious or other beliefs, and information concerning a person’s health and sexual activities may not be entered.

An alert for a person may be entered in the SIS for the following reasons : 

a. Regardless of nationality :

- arrest for the purpose of extradition (Article 95)

- to determine the whereabouts of a missing person, of minors or of persons whose detention has been ordered by the competent authorities (Article 7);

- arrest for the purpose of appearing in court, either as a suspect or a witness; at the request of the judicial authorities in connection with a criminal investigation or for the purpose of serving a custodial sentence (Article 98);

- discreet surveillance and specific checks, conducted for the purpose of prosecution in connection with a criminal offence, averting a threat to public safety or national security (Article 99).

b. In the case of aliens, i.e. persons who are not nationals of any of the Member States of the European Communities (as defined in Article 1, paragraph 6):

- refusal of entry to the Schengen area pursuant to a decision taken by the competent administrative or judicial authority subject to national laws, a decision based on the danger posed to national security and public order or a decision based on the fact that the alien concerned has contravened national provisions governing entry and residence (Article 96).

• With regard to objects, the only data that may be entered, apart from the name of the owner, is that relating to vehicles, firearms, documents and banknotes which have been stolen, misappropriated or lost and which are sought for the purpose of confiscation or for use as evidence in criminal proceedings (Article 100).

• Likewise, data on vehicles may include information on vehicles that are sought for the purpose of discreet surveillance or specific checks (Article 99, see above). This category can also include information relating to the driver and the passengers of the vehicle concerned.

Access to information 

Articles 92 and 101 of the Convention state that authorities designated by the Contracting Parties are entitled, either by means of an automated search procedure or otherwise, to have access to :

- all the data stored in the SIS: for the purpose of border checks and police and customs checks carried out in the country in accordance with national law;

- only the category of alerts entered for the purpose of refusing entry: for the purpose of issuing visas, residence permits and the registration of aliens for the purpose of applying the provisions of this Convention on the movement of persons.

The list of authorities authorised to search the SIS directly should be sent to the Executive Committee (Article 101 (4).

Architecture of the Schengen Information System 

Although several article sin Title IV lay down that certain technical measures should be observed, the general description of the system is given in Article 92. 

The Schengen Information System (SIS) consists of one national section (N.SIS) for each of the Contracting Parties, and a technical support function (C.SIS), set and maintained jointly. Responsibility for the system rests with the French Republic. 

The technical support function, based in Strasbourg, serves to ensure that all the national systems are essentially identical. The C.SIS therefore has a database which ensures that national databases are identical by providing information on line.

Data is transmitted in accordance with protocols and procedures established jointly by the Contracting Parties for the technical support function. 

Article 118.4 stipulates that the safety measures taken for the technical support function must be identical to those that have to be taken by the various national SIS’s (Article 118 (1-3). 

iii. The SIRENE BUREAUX

The SIRENE bureaux (Supplementary Information Request at the National Entry) were set by the Contracting Parties. They are not expressly provided for in the Convention.

The national SIRENE bureaux are responsible for exchanging additional information based on the SIS. They also operate as intermediaries when the States hold consultations to determine what action to take when an alert is implemented.

Their tasks and activities are describe din detail in a common manual known as the "SIRENE Manual". The main task of the SIRENE bureaux is to consult before an alert is entered, exchange information, check to ensure that multiple alerts have not been entered and set priorities.

IV. PROTECTION OF PERSONAL DATA

1. National law and a national supervisory authority : prerequisites for implementing the Convention

The Schengen States have laid down a number of prerequisites for the implementation of the Convention on their respective territories. The Final Act lays down that fulfilment of these prerequisites is compulsory. 

One of these prerequisites concerns the mandatory establishment of a national supervisory authority (Articles 114 and 128) and introduction of personal data protection legislation before any personal data can be transmitted. 

With regard to the automatic or non-automatic processing of data provided in accordance with the Convention, the latter contains the following provisions :

a. for the automatic processing of data provided for the purpose of implementing the provisions of Title VI (Schengen Information System) :

Article 117 

As regards the automatic processing of personal data which is transmitted pursuant to this Title, each Contracting Party shall, no later than the date of entry into force of this Convention, take the requisite steps at national level to ensure a degree of protection of personal data at least equal to that resulting from the principles laid down in the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to the Automatic Processing of Personal Data, and in accordance with Recommendation R (87) 15 of 17 September 1987 of the Committee of Ministers of the Council of Europe regulating the use of personal data in the police sector.

The transmission of personal data provided for in this Title may take place only where the arrangements for the protection of personal data provided for in paragraph 1 have entered into force in the territory of the Contracting Parties concerned by the transmission.

b. for the automatic processing of other data transmitted pursuant to the Convention, apart from data relating to applications for asylum:

Article 126 : 

This article lays down that at the time of the Convention’s entry into force, the level of protection of personal data should be at least equal to the level resulting from the principles laid down in the Convention of the Council of Europe of 28 January 1981 and that data must not be transmitted unless this level of protection actually exists in the territory of the Contracting Parties involved in the transmission.

Article 129 : 

With regard to the transmission of data relating solely to police cooperation, the Contracting Parties should create a level of protection that is in keeping with the principles of the abovementioned Recommendation R (87) 15 of the Committee of Ministers of the Council of 17 September 1987.

c. With regard to the transmission pursuant to the Convention of data taken from or entered in a non-automated data file, apart from data relating to applications for asylum, the SIS or mutual assistance in criminal matters:

Article 127 : 

Application of the provisions of Article 126 and, where the transmission of data for the purpose of police cooperation is concerned, a level of protection that complies with the principles contained in the above Recommendation R (87).

d. Lastly, with regard to the transmission of data not stored in non-automated data files, the specific provisions on protection contained in Article 126 (3) apply, with one exception. The national supervisory authority shall if necessary supervise transmission (Article 128, paragraph 2). 

2. The scope of the Schengen Convention and the scope of national law 

With regard to the protection of personal data, the Schengen Convention creates a complex distinction between the scope of the provisions of the Convention and the scope of the national law of the Contracting Parties.

The rights of the individual with regard to the SIS 

The general rule here is that where the Convention contains no specific provisions, the national law of the Contracting Parties applies. 

The Convention specifies the rights of the individual and any limitations placed upon them. These rights are exercised subject to the aforementioned provisions and in accordance with the national law of the Contracting Parties.

a. Right of access to information and communication of information (article 109)

Every person has the right of access to information stored in the SIS which relates to him. He or she should submit a request for this purpose to any of the Contracting Party’s competent authorities. 

Information concerning the person submitting a request may be communicated to him, national law permitting. In accordance with the principle of data ownership, the State which has received the request and which is not responsible for entering the data in the SIS must first give the Contracting Party which issued the alert the opportunity to give its opinion. 

Communication of information may be refused if there is possibility that it may jeopardise the fulfilment of the task specified in the alert or if it is essential in order to protect the rights and freedoms of third parties. It will in any event be refused if the person concerned is the subject of an alert issued for the purpose of discreet surveillance.

b. Right to have information corrected (Article 110)

Anyone has the right to have inaccurate information concerning him or her corrected or deleted. In practice, communication of the data stored in the system facilitates the exercise of this right.

c. The right to bring an action for the purpose of correction, deletion, communication of information or to obtain compensation (Article 111).

Any person is entitled to exercise his or her rights before the competent court or authority in the territory of any of the Contracting Parties. Final decisions in such matters are enforced by the Contracting Party concerned.

d. Right to request that the data be checked (Article 114(2))

Any person has the right to request the supervisory authorities to check the data stored in the SIS which relates to him, as well as the use made of it. If the data has been entered by another Contracting Party, the check shall be carried out in close consultation with the supervisory authorities of the Contracting Party which has entered the alert. 

Although an exhaustive list of the requests submitted to the Schengen States for the purpose of exercising the abovementioned rights has not yet been drawn up, the information available shows that the number of requests per State in the past two years is between one and forty.

Supervision of the Schengen Information System 

The principles on data protection which apply without prejudice to the national law of the Contracting Parties to the processing of data stored in the SIS are laid down in Article 104 of the Convention. For the purpose of supervising compliance, the Convention provides for the Joint Supervisory Authority and the national supervisory authorities to share responsibility. 

The principles contained in the Convention are as follows: 

a. The principle that information should be entered in the SIS, except in certain cases which are listed in detail, for a particular purpose and used only for that purpose: extradition, refusal of entry, missing persons, witnesses, persons summonsed or convicted, stolen objects, persons or vehicles subject to discreet surveillance or specific checks (Articles 94 to 100, see above).

b Ban on processing sensitive data and an exhaustive list of data that has been entered (Article 94, see above).

c. Definition of the persons or bodies with access to the data: access restricted to national authorities competent in certain areas and only in so far as such access is necessary to enable them to perform their tasks (Article 101, see above).

d. Ban on copying alerts entered by other Contracting Parties in a national database and restriction on duplication for technical purposes (Article 102).

e. Obligation to record every tenth transmission of personal data for the purpose of checking whether the search is acceptable (article 103).

f. Laying down a fixed period of time for keeping data (Articles 112 and 113).

g. Obligation to preserve deleted data for one year in technical support function for the purpose of retrospective accuracy checks and to determine whether it was lawfully entered (Article 113 (2)).

With regard to checks on the system, the Convention lays down that each of the Contracting Parties must appoint a national authority to perform the task of supervising the national section of the Schengen Information System (N.SIS) independently and in accordance with national law (Article 114).

These authorities are responsible for examining whether the data protection provisions contained in the Convention and any provisions applicable under national law are being complied with.

Supervision of the technical support function (C.SIS), on the other hand, is allocated to the Joint Supervisory Authority, which must perform its tasks in accordance with the Schengen Convention, the Convention of the Council of Europe for the Protection of Individuals with regard to the Automatic Processing of Personal Data and the Recommendation of the Council of Europe regulating the use of personal data by the police, and pursuant to French law.

Information exchange outside the framework of the SIS 

Title VI (Articles 126 et seq.) of the Convention, entitled "Protection of Personal Data", focuses on the rules that apply to information exchanged in the context of implementing the Convention but not based on data entered in the SIS. (cf. point 2.1, b and c). 

The principles laid down (use of the data solely for the intended purpose, restrictions on the d rights has not yet been drawn up, the information available shows that the number of requests per State in the past two years is between one and forty. 

Supervision of compliance with the rules contained in the Convention is the task of the national supervisory authorities. 

The JSA plays a complementary role: it may issue an opinion on the problems arising from the application and interpretation of these rules.