- Every year, ETIAS will process the personal information of millions of travellers.
- Data security has been a major priority in the creation of ETIAS.
- What people have access to databases? How long is data retained?
23-11-2022
Concerns regarding data security are common in the digital era.
Companies and organisations are continuously in need of information from their customers. This raises concerns about how this data is maintained and safeguarded.
When travellers apply for an ETIAS authorization for Europe, their personal information is safeguarded.
The ETIAS data protection policy adheres to European legislation as well as the Charter of Fundamental Rights.
The ETIAS legislation describes how the EU data protection regulation will be implemented. This visa waiver will protect European citizens and tourists while protecting their privacy.
WHAT PERSONAL DATA WILL BE COLLECTED BY ETIAS?
For short-term visa-free visits to Europe, ETIAS will be required. When applying, tourists and business travellers will supply personal information such as:
- Full name
- Place and date of birth
- Nationality
- Gender
- Occupation
- Contact details
- Country of residence
- Information about previous criminal offences
- Recent travel history
As a result, the EU’s data protection standards influence business travel and tourism in Europe.
WHY DOES ETIAS REQUIRE TRAVELLERS’ PERSONAL INFORMATION?
This information is required by the EU for security reasons. Several nations’ citizens do not require a visa to travel to Europe and are not currently subject to screening procedures.
By gathering data and identifying potential security issues, ETIAS will enable safer visa-free travel to Europe.
HOW ETIAS PROTECTS PERSONAL DATA
The agency in charge of managing the massive ETIAS IT system is eu-LISA, which is also in charge of most of the systems that filter ETIAS passenger data, such as EURODAC, SIS, and VIS.
eu-LISA is in charge of ensuring that data is handled safely and securely.
ETIAS collects data in order to improve the security of EU citizens. Nonetheless, it is critical that data subjects’ fundamental rights are respected.
The ETIAS regulation explains how data will be handled and stored, as well as compensation rights in the event of unlawful processing.
ETIAS AND THE SAFE PROCESSING OF PERSONAL DATA
The ETIAS Central and National Units, as well as eu-LISA, are in charge of ensuring that personal data is processed securely and in conformity with European legislation.
Article 59 of the ETIAS rule addresses data security in 15 aspects, including:
- Physical protection of data
- Ensuring only authorised individuals have access to all elements
- Using encryption to prevent unauthorized reading, copying, modification or deleting of personal details
- Establishing what data has been processed, when and for what purpose
Data encryption and limiting access to certain authorised entities aid in preventing the abuse of personal information.
RIGHT TO COMPENSATION IF ETIAS DATA PROTECTION RULES ARE BROKEN
Article 63 of the ETIAS rule concerns the data controller’s or processor’s obligation.
It states that anyone who suffers harm as a result of illegal data management is entitled to compensation.
Compensation will be paid by either the member state or eu-LISA, depending on who was at fault.
HOW ETIAS DATA IS SHARED WITH THIRD COUNTRIES AND OTHER ORGANISATIONS
Article 65 of the ETIAS rule deals with data exchange.
According to the report, personal information maintained in the ETIAS Central Unit will not be shared with any international organisation or private entity other than Interpol, the International Criminal Police Organization.
Interpol is an important player in the pre-screening of visitors travelling to Europe. Data transfer to Interpol is required to safeguard the public.
Article 65 of the law also defines when immigration officials may have access to information that will be conveyed to a foreign nation. This is only possible if specific requirements are satisfied.
Exceptions may be made in extreme circumstances, such as the threat of terrorist activity or a serious criminal offense.
ONLY AUTHORISED INDIVIDUALS CAN ACCESS ETIAS
Under specific conditions, law enforcement agencies including Europol will be authorised to consult ETIAS data. They should only request access when it is absolutely necessary to carry out their responsibilities.
eu-LISA will be in charge of maintaining logs of all ETIAS data processing processes, recording:
- The reason for accessing the data
- The date and time of the operation
- The staff member to have carried out the operation
Furthermore, eu-LISA will keep track of who is authorised to enter and retrieve data. This will prevent unauthorised or illegal access to information.
HOW LONG IS PERSONAL DATA STORED BY ETIAS?
ETIAS will only save personal data momentarily, either for:
- The validity period of the travel authorisation when the application was approved
- 5 years from the last ETIAS refusal, revokement or annulment
Data can be stored for three years after the permission has expired if the applicant offers their approval. Following that, the data will be automatically deleted from the ETIAS Central System.
DATA PROTECTION LAW IN EUROPE
One of the European Union’s top concerns is data security. Incorrect information handling has expensive economic effects.
The EU’s privacy and security legislation mandates organisations in the Union and throughout the world to uphold strong privacy standards.
ETIAS AND THE EU GENERAL DATA PROTECTION REGULATION
The General Data Protection Regulation (GDPR) of the European Union (EU) went into effect in 2018 to offer individuals more control over their personal information and how it is used.
GDPR facilitated international trade by providing a consistent rule that applied throughout the EU.
GDPR guarantees that an individual’s personal information is handled correctly. To be in compliance with the rule, an organisation must notify users of:
- The extent of data collection
- How long it will be retained
- If it will be transferred to a third party
People have the right to see an overview of their personal data and how it is processed. They also have the right to erasure in certain circumstances, which means they can request that their data be deleted.
This rule applies to ETIAS since it will process personal data of third-country nationals. The ETIAS system was designed in accordance with GDPR.
HOW DOES GDPR APPLY TO VISA WAIVER PROGRAMS?
Other visa waiver programmes across the world must comply with GDPR. According to the European Commission, the General Data Protection Regulation applies to:
Because it will process the personal data of third-country people, the ETIAS data protection policy must not only adhere to GDPR standards, but other visa waiver programmes throughout the world must as well.
ESTA for the United States and eTA Canada gather and process data on individuals of EU member states. As a result, they must comply with the EU’s general data protection rule.
WHAT IS THE FINE FOR A GDPR DATA BREACH?
A GDPR infringement is expensive for a business. To guarantee compliance, fines have been established at a high level.
The punishment for violating EU data protection legislation is determined by elements such as:
- The number of people affected
- Whether it was intentional
- Past infringements
The maximum penalties is €20 million or 4% of the preceding fiscal year’s annual worldwide revenue, whichever is larger.
This hefty punishment demonstrates how seriously the EU views data privacy. It establishes strict requirements for itself and all other data processors and controllers.
ETIAS AND THE CHARTER OF FUNDAMENTAL RIGHTS
ETIAS is directly pertinent to the clause on freedom in the Charter of Fundamental Rights.
According to Article 8 of the charter, “everyone has the right to the protection of personal data relating to him or her.”
To be in accordance with the charter, ETIAS travelers’ data must be processed only for specific, legitimate purposes and with their consent. Everyone has the right to see the information that has been gathered about them.
The European Data Protection Supervisor (EDPS) is an independent body responsible for ensuring that ETIAS upholds human rights to privacy and data protection.
ETIAS SMART BORDERS AND DATA PROTECTION
The Entry-Exit System (EES), which is also administered by eu-LISA, will be introduced at EU borders in the near future. The system collects information from third-country nationals who pass external Schengen Area borders.
Europe’s EES collects biometric information from ETIAS travellers and visa holders. Because a person’s face dimensions are unique and may be used to identify an individual, this information is deemed sensitive.
To guarantee that it complies with EU personal data protection law, EES has been evaluated and amended based on suggestions from the European Data Protection Supervisor (EDPS).
In the future, the rising use of artificial intelligence at EU border controls will pose new issues in terms of data privacy.
Because such data is so sensitive, authorities, particularly the EDPS, must guarantee that the fundamental right to data protection is upheld.
Infrastructure and information technology solutions cannot be developed unless complete compliance with EU data protection regulations is ensured.
ARE SCHENGEN SMART BORDERS BREACHING GDPR STANDARDS?
Europe prioritises data protection. This is the conclusion reached by citizens following the adoption of the General Data Protection Regulation (GDPR).
However, fresh worries have emerged regarding face recognition technology and the planned implementation of the ETIAS visa waiver.
This element of smart borders, according to EU Commissioner Margrethe Vestager, may violate Europe’s data protection standards.
In this regard, smart borders may encounter difficulties while collecting biometric data from non-EU nationals entering the Schengen Area.
The major concern revolves around GDPR sections 6 (Lawfulness of processing) and 9 (Processing of particular categories of personal data).
This is not the first setback for EU smart borders; since its proposal in February 2013, this technology solution for Schengen Member States’ external borders has raised concerns about the “overall feasibility of the proposed new system,” according to the Technical Study on Smart Borders published in 2014.
The European Union will provide additional information on how its Member States will address the difficulty of activating facial recognition systems and smart borders while still allowing data protection for all individuals, including those from outside the Schengen area.