EU Regulations: Referral to Joint Committee

I move:

That Dáil Éireann approves the following:

(i) the exercise by the State of the option or discretion, provided by Article 4 of Protocol No. 19 on the Schengen Acquis integrated into the Framework of the European Union annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, to request to take part in the following measure to the extent that it relates to the operational management of the Visa Information System (VIS), the establishment, operation and use of which are governed by Council Decision 2004/512/EC, Regulation (EC) No 767/2008 and Council Decision 2008/633/JHA, the operational management of the Entry/Exit system (EES), established by Regulation (EU) 2017/2226, the operational management of the European Travel Information and Authorisation system (ETIAS) established by Regulation (EU) 2018/1241, and the operational management of the parts of the second generation Schengen Information System (SIS II) governed by Regulation (EC) No 1987/2006 in which Ireland does not participate:

Regulation (EU) 2018/1726 of the European Parliament and of the Council on the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), and amending Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA and repealing Regulation (EU) No 1077/2011, and

(ii) the exercise by the State of the option or discretion under Protocol No. 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union to accept the following measure, insofar as the measure relates to the operational management of Eurodac, as governed by Regulation (EU) No 603/2013, and the operational management of DubliNet, established by Commission Regulation (EC) No 1560/2003:

Regulation (EU) 2018/1726 of the European Parliament and of the Council on the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), and amending Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA and repealing Regulation (EU) No 1077/2011,

copies of which were laid before Dáil Éireann on 22nd November, 2018, be referred to the Joint Committee on Justice and Equality, in accordance with Standing Order 84A(4)(k), which, not later than 11th April, 2019, shall send a message to the Dáil in the manner prescribed in Standing Order 90, and Standing Order 89(2) shall accordingly apply.

It is unusual to have a motion such as this debated on the floor of the House. It is normally done by the committee, but here we go.

The European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice, known as eu-LISA, was established in 2011 and has operated since December 2012 to provide a long-term solution for the operational management of large-scale information technology systems which are essential instruments in the implementation of the asylum, border management and migration policies of the European Union. eu-LISA currently fulfils the operational management tasks for the Schengen information system, the visa information system and the European asylum dactyloscopy database, known as Eurodac.

eu-LISA keeps all IT systems under its responsibility functioning 24 hours a day, seven days a week. This allows the continuous uninterrupted exchange of data between the national authorities that use the systems. eu-LISA is also responsible for adopting and implementing security measures on the IT systems; organising training for national authority IT experts on the systems under its management; providing relevant reporting and statistics; and monitoring research activities. eu-LISA is responsible for ensuring security and data protection requirements are fully met. The agency has responsibility for the sophisticated communication tools and networks that support the various IT systems. For instance, eu-LISA provides the communication infrastructure for SIS II, Eurodac and VIS. In addition, it is responsible for the operational management of Vision and DubIiNet which ensure the communication infrastructure for the VIS and Eurodac systems respectively.

The headquarters of eu-LISA are in Tallinn, Estonia, while its operational centre is in Strasbourg, France. There is also a business continuity site for the systems under management based in Austria and a liaison office in Brussels.

EU Regulation No. 2018/1726 repeals the regulation establishing eu-LISA and provides the agency with a renewed mandate. It is proposed that eu-LISA will provide centralised operational management of EU information systems and be responsible for the preparation, development and operational management of the new information systems proposed by the Commission. They include the entry-exit system, EES, and the EU travel information and authorisation system, ETIAS. It is also proposed to provide for the extension of the eu-LISA mandate in respect of DubliNet which, to date, has been entrusted to eu-LISA via a service level agreement. The regulation places additional responsibility on eu-LISA for improving the quality of the data, establishing common data quality indicators and developing a central repository for reporting and statistics. The regulation requires eu-LISA to develop the main technical features of the Commission's approach towards interoperability, consisting of a European search portal, a shared biometric matching service and a common identity repository to ensure all EU information systems interact efficiently.

The regulation extends the mandate of eu-LISA with regard to research, in particular, giving eu-LISA the task of implementing the parts of the framework programme for research and innovation that relate to IT systems in the area of freedom, security and justice. It is proposed that more pilot projects may be entrusted to eu-LISA. It is proposed that eu-LISA may be requested to provide advice for member states on national systems connection to the central systems and ad hoc support. eu-LISA may also be requested to provide advice and support for the Commission on technical issues. It may also be tasked to develop, manage and host common IT systems by a group of least six member states in the area of freedom security and justice.

Ireland's participation in this regulation is complicated because the instrument builds on Schengen measures in which Ireland may participate, for example, police co-operation aspects of SIS Il; Schengen measures in which Ireland has chosen not to participate, for example, VIS, the border aspects of SIS II, EES and ETIAS; and non-Schengen measures in which Ireland participates like Eurodac. The Schengen aspects are subject to Protocol 19, known as the Schengen protocol, while the non-Schengen aspects are subject to Protocol 21, known as the JHA protocol. In order to participate in this regulation amending eu-LISA and, therefore, continue our participation in the agency that manages the operations of large-scale IT systems in which we participate, both Protocol No. 19 and Protocol No. 21 annexed to the Treaty on the Functioning of the European Union are engaged.

The opt-in process follows the process devised in 2012 to permit limited opt-in by Ireland to the supervision, management and oversight by eu-LISA of those aspects of the eu-LISA system in which we actually do not participate such as the border aspects of SIS Il and VIS, as well as those in which we do participate such as Eurodac.

Ireland issued a request to the European Council under Article 4 of Protocol 19 to take part in certain provisions of the Schengen acquis consisting exclusively of those aspects of the regulation that concern the operational management only of the Schengen-related IT systems in which we are not participating, that is to say, VIS and the border aspects of SIS II. Ireland simultaneously exercised its option under Article 4 of Protocol No. 21 to notify the Council and the Commission of our wish to accept the Eurodac aspects of the regulation. No adverse consequences arose on foot of this process, whether in respect of the operation and understanding of Protocol No. 19 or Protocol No. 21. The Attorney General's office has, therefore, advised that it is appropriate to use the same process to opt in to this regulation and thereby continue our participation in eu-LISA.

The European Commission proposals that preceded this regulation were laid before the Oireachtas in July 2017. They worked to enable Ireland to opt in to the regulation. The process has been ongoing since that time. The variable geometry of Ireland's participation in the regulation is complex and prevented the exercise of our opt-in under Article 3 of Protocol No. 21. Ireland's Permanent Representation to the European Union consulted the European Council's legal service. The service suggested the bespoke legal solution used to opt in to the establishing regulation of eu-LISA in 2012 could be used again. This was confirmed by the Office of the Attorney General in June 2018. The Government approved the bringing of a motion before the Oireachtas in September to approve Ireland's exercise of the opt-in to the regulation. The regulation was published in the Official Journal of the European Union on 20 November 2018 and laid before both Houses of the Oireachtas on 22 November.

I have more to say, but my time is up.

The motion proposes that Ireland participate in the operational management of the visa information system, the entry-exit system and the Schengen information system. It further proposes that we participate in the elements of eu-LISA that relate to the operational management of Eurodac. Fianna Fáil accepts, in principle, these measures which provide for Ireland's engagement with several systems related to information sharing on non-EU nationals entering the European Union. The visa information system allows Schengen states to exchange visa data. The main purpose behind the founding of the entry-exit system is to register entry and exit data for non-EU nationals crossing the external borders of EU member states. The SIS enables competent national authorities such as the police and border guards to enter and consult alerts.

The Eurodac regulation establishes an EU asylum fingerprint database.

The measures, in combination, allow for the improved, enhanced exchange of visa data with other EU member states; the registration of the entry and exit of non-EU nationals into and out of member states; and the sharing of alerts related to policing concerns. All of the measures appear to be positive and worthwhile. Fianna Fáil accepts that there may be concerns, as expressed in the course of debate, about the sharing of information on migrant refugees and visa holders. It appears that these measures, in combination, do not introduce new barriers to entry or stay for non-EU nationals. They simply provide the tools for better oversight of existing regulations.

We recognise that migration is a complex and challenging issue. Conflict, forced displacement, extreme poverty, smuggling of migrants and trafficking of human beings cannot be solved with a simple remedy, but we believe it is imperative that all countries take a fair and proportionate share of refugees. We believe the Dublin system should be transformed and a legal pathway for migration should be possible. We also agree with the blue card system for skilled migrants. The integration and inclusion of refugees and migrants is essential if we are to successfully tackle the politics of fear that are evident in some countries in the European Union and beyond. They are based on scapegoating others. This is particularly evident in some of the discourse on migration and refugees. The spate of separate attacks in Europe is also being used by those who peddle the politics of fear to scapegoat refugees and denigrate the European Union and the values that underpin it.

I welcome the opportunity to debate what is before us and what will I expect be before the Joint Committee on Justice and Equality tomorrow morning. However, we will oppose both motions on the basis that we have serious concerns about the implications in the protection of citizens' data in the future, for both non-EU and EU citizens. Although in principle, interoperability means connecting the information contained in several existing databases, this initiative will, in reality and practice, result in the creation of a new giant database that will contain the personal information of tens and perhaps hundreds of millions of people in the longer run, including information collected for very different purposes, both for migration control and crime prevention, both of which have, unfortunately, been somewhat conflated in this specific proposal, despite the fact that they are quite different.

Ireland was authorised to participate in certain non-border aspects of the Schengen acquis by Council Decision 2002/192/EC, principally police and judicial co-operation. There are already sufficient safeguards in place, with Ireland already availing of the Schengen information system for security purposes, as well as being linked with Europol and having signed up to other databases such as SIS, VIS and Eurodac, as well as entry-exit databases. I note the serious concern expressed by the European Data Protection Supervisor which has warned the Parliament and the Council that interoperability would "change the way legal principles have been interpreted in this area so far and would as such mark a ‘point of no return’." It has called for extreme caution and a wider political debate before adopting the proposal.

We discussed the general data protection regulation, GDPR, a lot last year. It is a matter for the European Union and its institutions which can bring forward legislative proposals that can adopt an independent approach to the GDPR. On the principles that underpin the GDPR, Article 5 states:

Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

It is unclear to me how this proposal complies the principles the GDPR outlined. It is unclear how the creation of a mega database which is explicitly stated to hold the biometric data of citizens and third country citizens complies with the requirement related to specified, explicit and legitimate purposes. It has been called Orwellian by some MEPs and I would be inclined to agree that it is certainly a step in the wrong direction. By 2017 the Schengen information system had been accessed more than 5.1 billion times by member states. In opting in to these protocols we consent to other member states having access to our citizens' information, much of which is personal in nature. The European Council's press release on the matter states:

The regulations introduce the possibility of using facial images for identification purposes, in particular to ensure consistency in border control procedures. It also allows for the inclusion of a DNA profile to facilitate the identification of missing persons in cases where fingerprint data, photographs or facial images are not available or not suitable for identification.

We will grant all member states the right to access such data and once a person is on one of the databases, he or she cannot get off it, despite the fact that he or she may have committed no criminal offence. There may have been a question about an asylum application or such, yet the person will go through this process and it will follow him or her for the rest of his or her life. He or she will be stuck in this database. Recently the Department of Employment Affairs and Social Protection found itself in a little trouble with the Data Protection Commissioner on this issue. I know that there is an investigation into whether the public services card system is legal, but I warn the Minister to take note of that episode in the context of how this jurisdiction manages data and how we will deal with it at a European level.

The system seeks to merge the areas of migration and crime prevention for reasons which I believe are ultimately political. They are conflated to a point that is wrong. The European Data Protection Supervisor states:

[Repeatedly] referring to migration, internal security and the fight against terrorism almost interchangeably brings the risk of blurring the boundaries between migration management and the fight against crime and terrorism. It may even contribute to creating assimilation between terrorists, criminals and foreigners.

I do not think we should have anything to do with it.

There is a Big Brother aspect to this operation and there does not seem to have been much debate about fundamental rights, proportionality or the safeguarding of data. I have a number of questions for the Minister of State. I do not know if I will get answers to them today, but perhaps I will get them at another time.

In April 2018 the European Commission's data protection working party, an independent European advisory body comprising employees of the Directorate-General for Justice and Consumers, published an opinion on interoperability between EU IT systems for border controls, international protection, migration, police and judicial co-operation. It highlighted the lack of analysis of data protection issues in the impact assessment given. It also found that no information had been given on which data protection regime would apply to which operation and that no evaluation of security measures needed for the EU-wide databases had been carried out. There had also been no analysis of less intrusive means to reach the goals set in the proposals. That is a damning report. Will the Minister of State provide details of any analysis carried out of interoperability in the meantime, specifically of data protection issues, the security measures needed, or less intrusive ways to achieve the same goals?

The European Commission's data protection working party also highlights that interoperability between IT systems as proposed by the European Union raises fundamental questions about the purpose of, necessity for and proportionality of the data processing involved, as well as concerns about the principles of purpose limitation, data minimisation, data retention and the clear identification of a data controller.

The European Union Agency for Fundamental Rights, FRA, has on a number of occasions expressed concern about the fundamental rights implications of interoperability with reference to eu-LISA. The impact of large-scale IT systems on fundamental rights remains largely unexplored territory. In 2017 the FRA issued a rebuke, warning that interoperability could lead to discriminatory profiling. What safeguards are in place to prevent the information from being accessed illegally?

The FRA has identified the issue of function creep whereby data collected for one reason, for example, asylum and migration, can then be used for other purposes such as internal security by law enforcement agencies. The FRA has found that the information technology systems established by the EU for asylum and migration management are increasingly being used for internal security reasons. What safeguards are in place to ensure that the databases that are not abused by law enforcement agencies carrying out checks on people inside the EU who may be subject to the check due to their colour, effectively racial profiling? The FRA has documented many instances in which inaccurate biometric or alphanumeric data has been entered into databases in the areas of borders, visas and asylum. This can result in a wrong Dublin Protocol transfer. It can lead officials to suspect identity fraud and can bar entry into the EU. It can even lead to a person being detained. If this data is accessed unlawfully the person can be put in unnecessary danger. Does the Minister of State have any concerns that the centralisation of this data will make it more difficult to spot inaccuracies and may actually put people in danger?

Article 5 of the general data protection regulation, GDPR, requires that third country nationals are informed of the relevant aspects of their personal data being processed in a transparent and easily understandable manner, in reality the right to information is often not upheld. The European Data Protection Supervisor, EDPS, has also raised concerns over interoperability, calling it a political rather than a technical choice. According to it, the decision of the EU legislator to make large-scale IT systems interoperable would not only permanently and profoundly change their structure and way of operating but would also change the way legal principles have been interpreted in this area so far and would as such be a point of no return.

The EDPS called for further debate on the issue in order to figure out how to protect fundamental rights. These IT systems deal with migration, the fight against terrorism and serious crime. As the EDPS points out referring to these terms almost interchangeably risks conflating all the issues and ultimately could lead to a perceived link between terrorists, criminals and migrants. Considering the recent swing to the right across most of Europe and worrying incidents such as the protests against the Roma in Italy, is the Minister of State not concerned that supporting the securing of Europe is pushing us further down a dangerous road towards racism and exclusion which goes against the fundamental principles of the EU?

The Minister of State is correct that it is unusual that we would be discussing this prior to the Oireachtas Joint Committee on Justice and Equality's discussion of it. We will continue the discussion tomorrow morning. We are discussing it now because of the tardy notice given to the committee to debate this issue which has been on the cards for months, attempting to bounce us into a discussion tomorrow morning with less than a week's notice and no information on the proposition. That is why we are here tonight and we will continue this in the morning.

The two motions before us today opt us into aspects of an EU regulation that strengthens the mandate of the eu-LISA agency, the agency that manages large-scale security and justice information systems in Europe. The European Commission tells us it is doing this in a bid to close the gaps that threaten the security of Europe and its citizens, all of the usual rubbish that we have become accustomed to listening to. A side effect of the mandate is that the EU information systems for migration, security and border management will become more interoperable. I think it was quite creepy that in announcing the Commission's proposals the Commissioner for Migration, Home Affairs and Citizenship said the stronger agency, "wilI help us connect all the dots towards an effective and genuine Security Union". As far as I am concerned when lreland signed up to the European Economic Community in the 1970s it was not signing up to a security union and I do not think the citizens have been asked about that matter. The fact that the Commission was arrogant enough to come out and state that so boldly is a significant overreach on its part. It seems determined to criminalise each and every third country national who wants to come to the EU, whether for work, fleeing war, or simply on a holiday. We are creating a continent living in fear that a horde of barbarians is on the horizon, ready to invade. That is giving us a continent distracted from the real and pressing issues facing us.

Last October, the justice committee was asked to approve two proposals from the European Commission that touched on the same area of interoperable border IT systems as this regulation does. What was proposed then was a vast, centralised database of a massive range of highly sensitive, biometric and personal data belonging to 218 million non-EU citizens visiting or living within the European Union and the justification for it was as the EU Commission said, an evolving and ongoing threat to internal security. The threat, it said, was migrants, not some migrants but all migrants. Other Deputies have used the quote from the European Data Protection Supervisor warning of the dangers of the blurring of lines by mixing migration management with the fight against terrorism. This is setting a racist agenda in Europe and we are surprised out when Viktor Orbán says what he does and gets elected.

The Commission expected us last October to swallow the view that the threat to internal security posed by migration is severe enough to justify the creation of essentially an EU-wide Stasi. The committee did not agree and yellow-carded the proposal. Plenty of other people shared our view, including the EDPS, the Article 29 group, European Parliamentary Research Service, Privacy International, Statewatch and many more. All of them loudly questioned whether this threat from migrants exists and whether it was sufficient to justify what the Commission wanted and whether the Commission had any evidence at all to justify its position. None of those organisations was listened to. Our committee was not listened to either and the Commission's proposal is now going full steam ahead and the regulation we have before us will allow the Commission's giant intrusive database to take physical form. Even if Ireland is not taking part in that, we have a duty to flag the dangers because Europe's current migration policy, if it could be called that, is leading to fear, it is boundaries, high walls bristling with surveillance around the continent, driven by the far right and the arms industry. It is an incredibly dangerous path and the Commission does not seem to care enough to join the dots and see where this is leading us. We are paying Libya to keep refugees in dungeons to be raped and beaten, and we imagine there will not be consequences? Of course there will be consequences. None of this is making Europe any safer, it is making it a far more dangerous place and we should be playing a neutral and independent role.

I thank Deputies for taking part in this quite important debate. There are reasons it is taking place now to do with Brexit and the dangerous things that might happen there. We are strongly of the view on this side of the House that Ireland should participate in the adoption and application of this regulation. With respect to Deputy Ó Laoghaire's point on the creation of a large database, this is not created by this particular regulation but by a separate interoperability regulation. We are not talking about that particular point. Sometimes colleagues conflate this regulation with the proposals currently under negotiation on an EU level on interoperability of IT systems. This is not the subject of this regulation which relates to Ireland's participation in the eu-LISA regulation. eu-LISA will prepare the technical points of interoperability but Ireland is participating only insofar as it relates to the operation and management of the IT systems that we participate in. For Ireland these are SIS-II and Eurodac in which these Houses approved our participation. eu-LISA is essential to our ability to complete our connection to SIS-II in 2020. If Ireland opts to participate in any interoperability regulation then both Houses will have a say in that opt-in. That is not the subject of this regulation. Let us be clear about what we are at here.

Ireland's participation in eu-LISA has been important for our connection to the update of Ireland's national Eurodac systems as required by our participation in the Eurodac regulation. In progressing Ireland's connection to the SIS-II system, eu-LISA has been an important partner to ensure the efficient delivery of this project which will provide An Garda Síochána with access to this vital tool in the investigation of cross-border crime.

As Ireland participates in some of the systems which eu-LISA manages, it is important that we have a voice and a vote at the EU management board where decisions on the operational management of those systems are taken. Ireland's participation is confined to those systems in which we already participate and does not oblige us in any way to participate in systems such as the VIS, ETIAS or EES. However, participation in eu-LISA will enable us to exercise our option to opt in to future large-scale systems, should the Oireachtas approve of our doing so.

The central customs information system, CIS, is supervised by the European Data Protection Supervisor, EDPS. Supervision of each national system is allocated to data protection authorities in each respective member state. The systems and revision co-ordination group was set up in 2013 to ensure co-ordinated supervision of SIS II between the EDPS and national supervisory authorities. The CIS group meets twice a year. EU states must ensure that the taking of fingerprints and all operations involving the processing, transmission, conservation or deletion of data are carried out lawfully. The Commission must see to the proper application of regulation by the central unit. It also informs the European Parliament and EU Council of measures it takes to ensure the security of data. As I indicated, EU states' data processing activities are monitored by the national supervisory bodies, while those of the Commission are monitored by the European Data Protection Supervisor.

The Data Protection Commissioner is the national supervisory authority for Ireland. Section 12(2) of the Data Protection Act 2018 provides, among other matters, that: "The Commission shall monitor the lawfulness of processing of personal data in accordance with (a) Regulation (EU) No 603/2013 ... on the establishment of ‘Eurodac’ for the comparison of fingerprints for the effective application of Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person and on requests for comparison with Eurodac data by Member States’ law enforcement authorities." There are serious safeguards there and it is important that this would be the case.

I commend the motion to the House. I gather it will be debated tomorrow in committee as well and I hope the information which I put before the House earlier will be of assistance to colleagues in that important debate. I apologise for speaking so quickly but I wanted to provide as much information as I could in the time available.

Question put and declared carried.