The European Parliament adopted by 522 votes to 122, with 31 abstentions, a legislative resolution on the proposal for a regulation of the European Parliament and of the Council amending Regulation (EC) No 767/2008, Regulation (EC) No 810/2009, Regulation (EU) 2017/2226, Regulation (EU) 2016/399, Regulation XX/2018 [Interoperability Regulation], and Decision 2004/512/EC and repealing Council Decision 2008/633/JHA.

The European Parliament's position adopted at first reading under the ordinary legislative procedure amended the Commission's proposal as follows.

Extended scope of the Visa Information System (VIS)

The Visa Information System (VIS) is a European database used by authorities to monitor third-country nationals requiring a visa to travel to the Schengen area.

The reform of the VIS should enable the system to better respond to security developments and migration challenges, and to optimise the management of the EU's external borders by extending its scope to long-stay visas and residence permits in order to address gaps in security information.

Purpose of the VIS

As regards short-stay visas, the VIS shall facilitate the exchange of data between Member States on visa applications and decisions, with a view to facilitating and accelerating the visa application procedure.

With regard to long-stay visas and residence permits, the VIS shall: (i) support a high level of security in all Member States by contributing to the assessment of whether the applicant or holder of a document is considered to pose a threat to public policy, internal security; (ii) facilitate checks at external border crossing points and enhance the effectiveness of checks within the territory of the Member States.

For all visas, the VIS shall assist in the identification of missing persons, in particular children, and contribute the prevention of threats to the internal security of any of the Member States, namely through the prevention, detection and investigation of terrorist offences or of other serious criminal offences in appropriate and strictly defined circumstances.

System architecture

Members proposed that Council Decision 2004/512/EC establishing the Visa Information System (VIS) be repealed and fully integrated into the VIS Regulation. They also recommend that certain elements of the Commission's implementing decisions be included in this Regulation.

The VIS would be based on a centralised architecture. The centralised services shall be duplicated to two different locations namely Strasbourg, France, hosting the principal VIS Central System, central unit (CU) and St Johann im Pongau, Austria, hosting the backup VIS Central System, backup central unit (BCU).

The central VIS system, the uniform national interfaces, the web service, the carrier gateway and the VIS communication infrastructure shall share and re-use as much as technically possible the hardware and software components of respectively the entry/exist central ( EES Central System), the EES national uniform interfaces, the ETIAS carrier gateway, the EES web service and the EES communication infrastructure.

Data processing

Processing of personal data within the VIS by each competent authority shall not result in discrimination against applicants, visa holders or applicants and holders of long-stay visas, and residence permits.

It shall fully respect human dignity and integrity and fundamental rights and observes the principles recognised by the Charter of Fundamental Rights of the European Union, including the right to respect for one’s private life and to the protection of personal data. Particular attention shall be paid to children, the elderly and persons with a disability and persons in need of international protection.

Fingerprint data of children

No fingerprints of children under the age of 6 shall be entered into VIS.

Parliament proposed that the collection of fingerprints from children should be subject to stricter safeguards and a limitation on the purposes for which such data may be used to situations where it is in the best interests of the child, in particular by limiting the storage period of stored data.

The biometric data of minors from the age of six shall be taken by officials trained specifically to take a minor's biometric data in a child-friendly and child-sensitive manner and in full respect of the best interests of the child.

Access to the system by centralised European agencies

The proposed reform shall ensure better access for Europol and law enforcement authorities to VIS data in order to identify crime victims and advance their investigations into serious crime or terrorism.

In the case of the European Border and Coast Guard Agency, Members believe it is essential that this agency has access to the system. However, they proposed restricting access for return teams while reinforcing access to statistics for the purpose of risk analysis.

Links with other systems and interoperability

Parliament intends to ensure the utmost coherence with other systems, in particular ETIAS, including its safeguards. Checks against other databases should also be carried out for holders of long-stay visas and residence permits.

However, in order to provide appropriate guarantees, Members specified which controls should be carried out. They also specified the specific measures following each hit, both to protect third-country nationals and to ensure the confidentiality of information.

Any hit resulting from the queries which cannot automatically be confirmed by VIS shall be manually verified by the national single point of contact. Depending on the type of data triggering the hit, the hit should be assessed either by consulates or by a national single point of contact, with the latter being responsible for hits generated in particular bylaw enforcement databases or systems.

Each Member State shall designate a national authority, operational 24 hours a day, 7 days a week, which shall ensure the relevant manual verifications and assessment of hits for the purposes of this Regulation.

Data transfer

Personal data obtained by a Member State pursuant to this Regulation shall not be transferred or made available to any third country, international organisation or private entity established in or outside the Union. As an exception to that rule, however, it shall be possible to transfer such personal data to a third country or to an international organisation where such a transfer is subject to strict conditions and necessary in individual cases in order to assist with the identification of a third-country national in relation to his or her return.

Entry into force

Parliament proposed enhancing reporting mechanisms and setting a deadline of a maximum of two years to have this reformed VIS up and running.

The Committee on Civil Liberties, Justice and Home Affairs adopted the report by Carlos COELHO (EPP, PT) on the proposal for a regulation of the European Parliament and of the Council amending Regulation (EC) No 767/2008, Regulation (EC) No 810/2009, Regulation (EU) 2017/2226, Regulation (EU) 2016/399, Regulation XX/2018 [Interoperability Regulation], and Decision 2004/512/EC and repealing Council Decision 2008/633/JHA.

The committee recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the Commission's proposal as follows.

Scope of the Visa Information System (VIS)

Members believe that the proposed reform shall be the extension of the scope of the Visa Information System (VIS) to include long-stay visas and residence permits. This change shall increase the security of external borders and better secure the rights of long-term residents.

Purpose of the VIS

As regards short-stay visas , the VIS shall facilitate the exchange of data between Member States on visa applications and decisions, with a view to facilitating and accelerating the visa application procedure.

With regard to long-stay visas and residence permits , the VIS shall: (i) support a high level of security in all Member States by contributing to the assessment of whether the applicant or holder of a document is considered to pose a threat to public policy, internal security; (ii) facilitate checks at external border crossing points and enhance the effectiveness of checks within the territory of the Member States.

For all visas, the VIS shall assist in the identification of missing persons and contribute the prevention of threats to the internal security of any of the Member States, namely through the prevention, detection and investigation of terrorist offences or of other serious criminal offences in appropriate and strictly defined circumstances.

System architecture

Members proposed that Council Decision 2004/512/EC establishing the Visa Information System (VIS) be repealed and fully integrated into the VIS Regulation. They also recommend that certain elements of the Commission's implementing decisions be included in this Regulation.

The architecture of the system shall also reflect the expansion of its scope and usage: long stay visas and residence permits, queries by the entry-exit system and the new interoperability architecture.

The VIS would be based on a centralised architecture. The central VIS system, the uniform national interfaces, the web service, the carrier gateway and the VIS communication infrastructure shall share and re-use as much as technically possible the hardware and software components of respectively the entry/exist central ( EES Central System), the EES national uniform interfaces, the ETIAS carrier gateway, the EES web service and the EES communication infrastructure.

Data processing

Processing of personal data within the VIS by each competent authority shall not result in discrimination against applicants, visa holders or applicants and holders of long-stay visas, and residence permits on the grounds of sex, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation.

It shall fully respect human dignity and integrity and fundamental rights and observes the principles recognised by the Charter of Fundamental Rights of the European Union, including the right to respect for one’s private life and to the protection of personal data. Particular attention shall be paid to children, the elderly and persons with a disability and persons in need of international protection.

Children's fingerprints

Given that children are a particularly vulnerable group, Members propose that the collection of special categories of data, such as fingerprints, from children should be subject to stricter safeguards and a limitation of the purposes for which these data may be used to situations where it is in the child’s best interests, including by limiting the retention period for data storage.

Data transfer

Personal data obtained by a Member State pursuant to this Regulation should not be transferred or made available to any third country, international organisation or private entity established in or outside the Union. As an exception to that rule, however, it should be possible to transfer such personal data to a third country or to an international organisation where such a transfer is subject to strict conditions and necessary in individual cases in order to assist with the identification of a third-country national in relation to his or her return.

Access to the system by centralised European agencies

In the case of the European Border and Coast Guard Agency, Members believe it is essential that this agency has access to the system. However, they proposed restricting access for return teams while reinforcing access to statistics for the purpose of risk analysis.

Links with other systems and interoperability

Members intend to ensure the utmost coherence with other systems, in particular ETIAS, including its safeguards. Checks against other databases should also be carried out for holders of long-stay visas and residence permits.

However, in order to provide appropriate guarantees, Members specified which controls should be carried out. They also specified the specific measures following each hit, both to protect third-country nationals and to ensure the confidentiality of information.

Any hit resulting from the queries which cannot automatically be confirmed by VIS shall be manually verified by the national single point of contact. Depending on the type of data triggering the hit, the hit should be assessed either by consulates or by a national single point of contact, with the latter being responsible for hits generated in particular bylaw enforcement databases or systems.

Each Member State shall designate a national authority, operational 24 hours a day, 7 days a week, which shall ensure the relevant manual verifications and assessment of hits for the purposes of this Regulation.

Entry into force

Members proposed enhancing reporting mechanisms and setting a deadline of a maximum of two years to have this reformed VIS up and running.

Opinion of the European Data Protection Supervisor (EDPS) on the proposal for a new Regulation on the Visa Information System.

In order to enhance security and improve the EU external borders management, the Commission adopted a Proposal which would upgrade the Visa Information System (‘VIS’), the EU centralised database that contains information about persons applying for a Schengen visa.

In particular, the proposal provides for (a) the lowering of the fingerprint age for child applicants for a short stay visa from 12 years to 6 years; (b) the centralisation at EU level of data related to all holders of long stay visas and residence permits; and (c) the cross-check of visa applications against other EU information systems in the area of freedom, security and justice.

The EDPS made the following recommendations

Sensitive data

The EDPS stresses that biometric data such as fingerprints are highly sensitive. Their collection and use should be subject to a strict necessity analysis before deciding to store them in a database where a large number of persons will have their personal data processed.

Prevention against children right's abuses

The EDPS notes that it remains unclear whether or to what extent the child trafficking is rooted in or amplified by the mis- or non-identification of children entering the EU territory on the basis of a visa. Should further elements be provided in support of this claim, the EDPS stresses the importance to ensure that fingerprints of the children will be used only when it is in the best interest of the child in a specific case.

The EDPS recommends to introduce in the proposal a specific provision on the fingerprints of children to limit their processing to the purposes of:

- verifying the child's identity in the visa application procedure and at the external borders;

- contributing to the prevention and fight against children's right abuse only in a specific case.

In particular as regards the access by law enforcement authorities, the EDPS recommends to ensure that:

- such access must be necessary for the purpose of the prevention, detection or investigation of a child trafficking case;

- access is necessary in a specific case;

- a prior search in the relevant national databases and in the specific systems at Union level has been unsuccessful;

- reasonable grounds exist to consider that the consultation of the VIS will substantially contribute to the prevention, detection or investigation of the child trafficking case in question;

- the identification is in the best interest of the child.

Data recording in the VIS

By recording data on all holders of long-stay visas and residence permits in the VIS, the proposal would contribute, in the context of the proposal for interoperability of large-scale EU systems, to the creation of a centralised European network providing access to a considerable amount of information on all third-country nationals who have crossed or are considering crossing EU borders (i.e. millions of people).

In this context, the EDPS considers that the harmonisation of secure documents should be further examined and that the data stored in the VIS should be limited to persons whose long-stay visa or residence permit has been refused for security reasons.

Comparisons of data

The proposal provides for the comparison of data stored in the VIS with data stored in other systems built and used so far for purposes other than migration. In particular, the data of visa applicants would be compared with data collected and stored for police and judicial cooperation purposes.

The EDPS recommends:

- to clarify in the proposal the purpose of the comparison of the VIS data with Europol data, as well as the procedure and conditions applicable as regards the outcome of such comparison;

- to ensure that only alerts that are legally part of the visa issuance decision-making process would produce a hit accessible by visa authorities.

Other recommendations

The EDPS made additional recommendations related to the following aspects of the proposals: (i) categories of VIS data compared with data recorded in other systems; (ii) specific categories of visa applicants; (iii) definition of central authorities; (iv) use of VIS data to enter a SIS alert on missing persons; (v) verifications in case of a hit; (vi) access for law enforcement purposes; (vii) statistics; (viii) use of anonymised data for testing purposes; (ix) data quality monitoring; (x) supervision of the VIS.

PURPOSE: to improve the Visa Information System (VIS) to better secure the EU's external borders.

PROPOSED ACT: Regulation of the European Parliament and of the Council.

ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.

BACKGROUND: the Visa Information System (VIS) was established by Council Decision 2004/512/EC to serve as the technology solution to exchange visa data between Member States.

Since 2011, the VIS has served as the technology solution facilitating the short-stay visa procedure and helping visa, border, asylum and migration authorities to rapidly and effectively check the necessary information on third-country nationals who need a visa to travel to the EU.

The EU common visa policy is an essential part of the Schengen acquis .

Since the entry into force of the Visa Code in 2010, the environment in which visa policy operates has changed drastically. The migration and security challenges faced in recent years have shifted the political debate about the area without internal border control in general, and about visa policy in particular.

In this context, the Union is improving its information systems for border management in order to fill information gaps and strengthen internal security. In December 2017 the Commission proposed the rules on interoperability between EU information systems to make them work together in a smarter and more efficient way. In 2016, the Entry/Exit Sytem (EES) Regulation established that that the EES and VIS systems can be fully interoperable in order to provide a full picture of the visa application history of third-country nationals by adding information on how they used their visas.

In addition to the interoperability work launched since April 2016 to create stronger and smarter information systems for borders and security, an overall evaluation of the VIS was carried out in 201614. The evaluation looked specifically into the system’s fitness for purpose, efficiency, effectiveness and added value for the EU. It found that the VIS meets its objectives and functions and remains one of the most advanced systems of its kind, but that new challenges in visa, border and migration management meant it needed further development in a number of specific areas.

At the same time, significant technological developments are providing new opportunities to make visa processing easier for both applicants and consulates. Since VIS is an important component of the framework underpinning visa policy, this proposal complements the recent proposal amending the Visa Code presented by the Commission on 14 March 2018.

Since VIS is an important component of the framework underpinning visa policy, this proposal complements the recent proposal amending the Visa Code presented by the Commission on 14 March 2018.

IMPACT ASSESSMENT: this proposal follows the preferred options of the impact assessment concerning (i) storing a copy of the biographical data page of the travel document; (ii) lowering the fingerprinting age and (iii) ensuring automated migration and security checks against available databases.

CONTENT: the proposal for a Regulation aims to: (i) facilitate the visa application procedure; (ii) facilitate and strengthen checks at external border crossing points and within the territory of the Member States; (iii) enhance the internal security of the Schengen area by facilitating the exchange of information among Member States on third country nationals holders of long stay visas and residence permits. Consequently, amendments will need to be made to Regulation (EC) No 810/2009 (the Visa Code), Regulation (EC) No 767/2008 , Regulation (EU) 2017/2226 (the EES Regulation), the Interoperability Regulation and Regulation (EU) 2016/399 (the Schengen Borders Code).

The main objectives of this proposal are as follows:

Closing remaining information gaps : at present, data on documents which allow third-country nationals to stay in the territory of a given EU Member State for more than 90 days in any 180-day period are not collected. The Commission proposes to include long-stay visas and residence permits in the VIS . By facilitating a better systematic exchange of information between Member States concerning third-country nationals holding a long-stay visa and residence permit, the VIS would contribute to improving internal security in the Schengen area.

Enhancing checks in visa processing using interoperability : once in place, the European Search Portal will allow competent authorities — including visa processing authorities — to carry out a single search and receive results from all systems they are authorised to access (including EURODAC, EES and the European Criminal Records Information System — Third Country Nationals (ECRIS)) rather than searching in each system individually.

In addition to automated queries of other databases, visa processing will benefit from specific risk indicators . The indicators will contain data analytics rules, as well as specific values provided by Member States and statistics generated from other relevant border management and security databases. This would improve risk assessments and allow the data-analytics method to be applied. The risk indicators would not contain any personal data and would be based on statistics and information provided by Member States on threats, abnormal rates of refusal or overstay by certain categories of third country nationals, and public health risks.

Making it easier to identify missing persons : quick access should be given for law enforcement authorities to VIS data to enable a fast and reliable identification of the person, without the need to fulfill all the preconditions and additional safeguards for law enforcement access.

Improving information in the processing of short-stay visa applications : the Commission proposes to lower the fingerprinting age for child applicants from 12 to 6 years . This would make it possible to carry out checks when crossing an external border but also to offer children better protection and contribute to the fight against trafficking in human beings. It also proposes to store a copy of the bio-page of the applicant's travel document in the VIS in order to facilitate return procedures.

Upgrading other technical components of the VIS : the VISMail mechanism for consultations is integrated in the VIS in order to streamline the exchanges between the VIS central system and the national systems. The configuration of the central system is adapted to better respond to the need to rapidly and efficiently ensure availability in periods of disruption. In order to improve the quality of the data recorded in the VIS, data quality defect indicators have been introduced at application level.

BUDGETARY IMPLICATIONS: following the technical study carried out by eu-LISA in 2016, the necessary budget is estimated at EUR 182 million . The development phase is foreseen between 2021 and 2023, and the necessary funds will therefore be part of the amount allocated in the next EU budget. If the proposal is adopted before the next financial framework, the necessary resources (estimated at EUR 1.5 million) will be financed from the ISF borders and visas budget line and the amounts will be deducted from the amount allocated for the period 2021-2023.