This document is Deliverable D2.2 of Task T2.2, WP2 – Privacy of the PROTECT project. The aim of D2.2 is to explore the current and proposed European legal framework regulating biometric Schengen border control in order to identify legal, privacy and data protection constraints which should be taken into account by PROTECT scenarios described in D3.11.
In order to be able to identify the legal constraints under current and proposed EU law for the usage of the multimodal biometric “on the move” solutions developed within the PROTECT project scenarios in D3.1, the first preliminary question which should be raised is: “Which is the exact purpose/extent of the border checks that could be “facilitated” thanks to the PROTECT system?”. Indeed, according to article 5 of the General Data Protection Regulation (GDPR), one of the main principles relating to the processing of personal data is the purpose limitation principle, according to which “personal data shall be collected for specified, explicit and legitimate purposes”.
In this Deliverable, it is assumed that the purpose of D3.1 scenarios is to “facilitate” public border control authorities to speed up their public interest missions of border control management by enrolling additional biometrics in travel documents (or smartphone apps acting as travel documents).
Bearing this public interest purpose fact in mind, the purpose of this Deliverable is to thoroughly analyse:
Legal constraints deriving from legislation regulating EU travel documents (E-Passports, residence permits, visas), Schengen IT systems (in particular, VIS, SIS, EES, SLTD, API and ETIAS) and more generally legislation regulating cross-border movements at the Schengen external borders (the Schengen Borders Code)
Legal privacy constraints related to the collection, storage and processing of personal data for public interest missions, in particular biometric data. These legal constraints are mainly regulated by article 8 of the European Convention on Human Rights, Directive 95/46/EC and the General Data Protection Regulation (GDPR).
Without any will to pre-empt any conclusions, it is a fact that the scenarios proposed by D3.1 should more than certainly be considered as beyond the scope of current EU legislation. One of the main reasons of this conclusion is that consent of travellers cannot be considered as a legitimate basis of lawfulness under the GDPR to allow public border control authorities to speed up their public interest missions by enrolling additional biometrics in travel documents (which currently may not be replaced by a smartphone app).
This being said, Deliverable “D2.3 - Privacy impact of next-generation biometric border control” will analyse if, as an alternative to D3.1 scenarios, emerging biometric modalities could be processed in a “passport companion” such as a smartphone for “comfort and convenience purposes” of travellers on basis of their consent. The idea would be to analyse − from a privacy and data protection point of view − the possibility and the conditions to enrol additional biometrics in a smartphone app for travellers willing to join a “PROTECT programme” allowing them to be given priority in waiting areas for “traditional” security and border checks and/or allowing them
|Place of Publication||s.l.|
|Number of pages||76|
|Publication status||Published - 2018|