The European Parliament adopted a legislative resolution approving the Council position at first reading with a view to the adoption of a regulation of the European Parliament and of the Council amending Regulations (EC) No 767/2008, (EC) No 810/2009, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1860, (EU) 2018/1861, (EU) 2019/817 and (EU) 2019/1896 of the European Parliament and of the Council and repealing Council Decisions 2004/512/EC and 2008/633/JHA, for the purpose of reforming the Visa Information System.

The Regulation amending the Visa Information System (VIS) aims to further develop the VIS in order to better respond to new challenges in the field of visa, border and security policies.

The VIS is the EU's information system for facilitating the procedure for issuing short-stay visas (Schengen visas) and for assisting visa, border, asylum and migration authorities in checking third-country nationals who require a visa to travel to the Schengen area.

Objective

The amending regulation has the following objectives:

- to facilitate the visa application procedure ;

- to strengthen background checks before a decision is taken on a short or long stay visa and residence permit, as well as identity checks at external border crossing points and on the territory of the Member States; and

- to enhance the internal security of the Schengen area by facilitating the exchange of information between Member States on third-country nationals holding a long-stay visa or residence permit.

Scope of the VIS

The Council position at first reading includes in the revised VIS, in addition to short-stay visas, long-stay visas and residence permits, which, while being governed by national rules, allow free movement within the Schengen area. This broadening of the scope of the VIS will allow authorities of Member States other than the issuing authority to carry out a verification of this document and its holder at the borders or on the territory of the Member States.

Background checks

The Council position allows visa authorities to carry out automated checks in other databases using the interoperability framework. However, it provides for separate rules and procedures for searches in sensitive and non-sensitive databases. A delegated act will define the detailed rules for queries and verifications.

All applications registered in the VIS - whether for short-stay visas, long-stay visas or residence permits - will automatically be subject to checks in all other EU security and migration information systems.

Consequential amendments

The Council's position amends the regulations that form part of the Schengen acquis related to external borders (VIS, Entry/Exit System (EES), European Travel Information and Authorisation System (ETIAS), SIS return, SIS border and interoperability in the border area).

The amendments to the Regulations that are not part of the Schengen acquis or constitute texts relating to Schengen police cooperation (Eurodac, Europol Regulation, SIS police cooperation, ECRIS-TCN and police cooperation interoperability) are contained in a separate legal instrument , due to the variable geometry of Member States' participation in EU policies in the area of freedom, security and justice.

However, the two Regulations will be implemented together to ensure the smooth functioning and effective use of the VIS system.

Biometric data

The Council position lowers the age at which fingerprints can be taken from minors from 12 to 6 years , but also introduces an upper age limit for fingerprinting, set at 75 years . At the same time, the collection of biometric data from children is accompanied by stricter safeguards and a limitation of the purposes for which these data can be used to situations where the best interests of the child are at stake with, in particular, a limitation of the retention period of the data.

Live facial images will be stored in the Visa Information System and used for biometric matching, in particular to verify the identity of persons or to identify them by comparing their image with those stored in the Visa Information System, subject to certain conditions and strict safeguards.

Specific risk indicators

Specific risk indicators will be integrated into the Visa Information System as an automated mechanism, which will examine all short-stay visa applications.

These indicators will not contain any personal data and will be based on statistics and information provided by Member States on threats, abnormal rates of refusal or overstay for certain categories of third-country nationals, and risks to public health.

Law enforcement access to VIS data

Designated authorities and Europol will have more structured access to the VIS, including to long-stay visas and residence permits, for the purpose of the prevention, detection and investigation of terrorist offences or other serious crimes, under specific conditions and in accordance with EU data protection rules and other safeguards provided for in the VIS.

Contribution to the EU readmission policy

The VIS will contribute to the efficiency of the EU return policy: copies of the applicant's travel document will be stored in the VIS, a measure which will facilitate the identification and readmission of persons without travel documents who are subject to a return procedure. In addition, Frontex, and in particular the Frontex teams involved in return operations, will have access to the VIS.

Transporters

Carriers will have (limited) access to VIS data (OK/NOT OK response) via the carrier’s gateway for the purpose of checking visas and residence permits. Carriers should inform passengers denied boarding on how to request access to VIS data. A derogation from these provisions should apply to carriers transporting groups for the first 18 months after the application has been made.

Fundamental rights

The Council position expands the provisions on general principles in order to strengthen the protection of fundamental rights when personal data are processed in the VIS, in particular with regard to the prohibition of discrimination against applicants. It aligns the data protection provisions of the VIS with the standards set in the General Data Protection Regulation (GDPR).

The European Parliament adopted by 522 votes to 122, with 31 abstentions, a legislative resolution on the proposal for a regulation of the European Parliament and of the Council amending Regulation (EC) No 767/2008, Regulation (EC) No 810/2009, Regulation (EU) 2017/2226, Regulation (EU) 2016/399, Regulation XX/2018 [Interoperability Regulation], and Decision 2004/512/EC and repealing Council Decision 2008/633/JHA.

The European Parliament's position adopted at first reading under the ordinary legislative procedure amended the Commission's proposal as follows.

Extended scope of the Visa Information System (VIS)

The Visa Information System (VIS) is a European database used by authorities to monitor third-country nationals requiring a visa to travel to the Schengen area.

The reform of the VIS should enable the system to better respond to security developments and migration challenges, and to optimise the management of the EU's external borders by extending its scope to long-stay visas and residence permits in order to address gaps in security information.

Purpose of the VIS

As regards short-stay visas, the VIS shall facilitate the exchange of data between Member States on visa applications and decisions, with a view to facilitating and accelerating the visa application procedure.

With regard to long-stay visas and residence permits, the VIS shall: (i) support a high level of security in all Member States by contributing to the assessment of whether the applicant or holder of a document is considered to pose a threat to public policy, internal security; (ii) facilitate checks at external border crossing points and enhance the effectiveness of checks within the territory of the Member States.

For all visas, the VIS shall assist in the identification of missing persons, in particular children, and contribute the prevention of threats to the internal security of any of the Member States, namely through the prevention, detection and investigation of terrorist offences or of other serious criminal offences in appropriate and strictly defined circumstances.

System architecture

Members proposed that Council Decision 2004/512/EC establishing the Visa Information System (VIS) be repealed and fully integrated into the VIS Regulation. They also recommend that certain elements of the Commission's implementing decisions be included in this Regulation.

The VIS would be based on a centralised architecture. The centralised services shall be duplicated to two different locations namely Strasbourg, France, hosting the principal VIS Central System, central unit (CU) and St Johann im Pongau, Austria, hosting the backup VIS Central System, backup central unit (BCU).

The central VIS system, the uniform national interfaces, the web service, the carrier gateway and the VIS communication infrastructure shall share and re-use as much as technically possible the hardware and software components of respectively the entry/exist central ( EES Central System), the EES national uniform interfaces, the ETIAS carrier gateway, the EES web service and the EES communication infrastructure.

Data processing

Processing of personal data within the VIS by each competent authority shall not result in discrimination against applicants, visa holders or applicants and holders of long-stay visas, and residence permits.

It shall fully respect human dignity and integrity and fundamental rights and observes the principles recognised by the Charter of Fundamental Rights of the European Union, including the right to respect for one’s private life and to the protection of personal data. Particular attention shall be paid to children, the elderly and persons with a disability and persons in need of international protection.

Fingerprint data of children

No fingerprints of children under the age of 6 shall be entered into VIS.

Parliament proposed that the collection of fingerprints from children should be subject to stricter safeguards and a limitation on the purposes for which such data may be used to situations where it is in the best interests of the child, in particular by limiting the storage period of stored data.

The biometric data of minors from the age of six shall be taken by officials trained specifically to take a minor's biometric data in a child-friendly and child-sensitive manner and in full respect of the best interests of the child.

Access to the system by centralised European agencies

The proposed reform shall ensure better access for Europol and law enforcement authorities to VIS data in order to identify crime victims and advance their investigations into serious crime or terrorism.

In the case of the European Border and Coast Guard Agency, Members believe it is essential that this agency has access to the system. However, they proposed restricting access for return teams while reinforcing access to statistics for the purpose of risk analysis.

Links with other systems and interoperability

Parliament intends to ensure the utmost coherence with other systems, in particular ETIAS, including its safeguards. Checks against other databases should also be carried out for holders of long-stay visas and residence permits.

However, in order to provide appropriate guarantees, Members specified which controls should be carried out. They also specified the specific measures following each hit, both to protect third-country nationals and to ensure the confidentiality of information.

Any hit resulting from the queries which cannot automatically be confirmed by VIS shall be manually verified by the national single point of contact. Depending on the type of data triggering the hit, the hit should be assessed either by consulates or by a national single point of contact, with the latter being responsible for hits generated in particular bylaw enforcement databases or systems.

Each Member State shall designate a national authority, operational 24 hours a day, 7 days a week, which shall ensure the relevant manual verifications and assessment of hits for the purposes of this Regulation.

Data transfer

Personal data obtained by a Member State pursuant to this Regulation shall not be transferred or made available to any third country, international organisation or private entity established in or outside the Union. As an exception to that rule, however, it shall be possible to transfer such personal data to a third country or to an international organisation where such a transfer is subject to strict conditions and necessary in individual cases in order to assist with the identification of a third-country national in relation to his or her return.

Entry into force

Parliament proposed enhancing reporting mechanisms and setting a deadline of a maximum of two years to have this reformed VIS up and running.

The Committee on Civil Liberties, Justice and Home Affairs adopted the report by Carlos COELHO (EPP, PT) on the proposal for a regulation of the European Parliament and of the Council amending Regulation (EC) No 767/2008, Regulation (EC) No 810/2009, Regulation (EU) 2017/2226, Regulation (EU) 2016/399, Regulation XX/2018 [Interoperability Regulation], and Decision 2004/512/EC and repealing Council Decision 2008/633/JHA.

The committee recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the Commission's proposal as follows.

Scope of the Visa Information System (VIS)

Members believe that the proposed reform shall be the extension of the scope of the Visa Information System (VIS) to include long-stay visas and residence permits. This change shall increase the security of external borders and better secure the rights of long-term residents.

Purpose of the VIS

As regards short-stay visas , the VIS shall facilitate the exchange of data between Member States on visa applications and decisions, with a view to facilitating and accelerating the visa application procedure.

With regard to long-stay visas and residence permits , the VIS shall: (i) support a high level of security in all Member States by contributing to the assessment of whether the applicant or holder of a document is considered to pose a threat to public policy, internal security; (ii) facilitate checks at external border crossing points and enhance the effectiveness of checks within the territory of the Member States.

For all visas, the VIS shall assist in the identification of missing persons and contribute the prevention of threats to the internal security of any of the Member States, namely through the prevention, detection and investigation of terrorist offences or of other serious criminal offences in appropriate and strictly defined circumstances.

System architecture

Members proposed that Council Decision 2004/512/EC establishing the Visa Information System (VIS) be repealed and fully integrated into the VIS Regulation. They also recommend that certain elements of the Commission's implementing decisions be included in this Regulation.

The architecture of the system shall also reflect the expansion of its scope and usage: long stay visas and residence permits, queries by the entry-exit system and the new interoperability architecture.

The VIS would be based on a centralised architecture. The central VIS system, the uniform national interfaces, the web service, the carrier gateway and the VIS communication infrastructure shall share and re-use as much as technically possible the hardware and software components of respectively the entry/exist central ( EES Central System), the EES national uniform interfaces, the ETIAS carrier gateway, the EES web service and the EES communication infrastructure.

Data processing

Processing of personal data within the VIS by each competent authority shall not result in discrimination against applicants, visa holders or applicants and holders of long-stay visas, and residence permits on the grounds of sex, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation.

It shall fully respect human dignity and integrity and fundamental rights and observes the principles recognised by the Charter of Fundamental Rights of the European Union, including the right to respect for one’s private life and to the protection of personal data. Particular attention shall be paid to children, the elderly and persons with a disability and persons in need of international protection.

Children's fingerprints

Given that children are a particularly vulnerable group, Members propose that the collection of special categories of data, such as fingerprints, from children should be subject to stricter safeguards and a limitation of the purposes for which these data may be used to situations where it is in the child’s best interests, including by limiting the retention period for data storage.

Data transfer

Personal data obtained by a Member State pursuant to this Regulation should not be transferred or made available to any third country, international organisation or private entity established in or outside the Union. As an exception to that rule, however, it should be possible to transfer such personal data to a third country or to an international organisation where such a transfer is subject to strict conditions and necessary in individual cases in order to assist with the identification of a third-country national in relation to his or her return.

Access to the system by centralised European agencies

In the case of the European Border and Coast Guard Agency, Members believe it is essential that this agency has access to the system. However, they proposed restricting access for return teams while reinforcing access to statistics for the purpose of risk analysis.

Links with other systems and interoperability

Members intend to ensure the utmost coherence with other systems, in particular ETIAS, including its safeguards. Checks against other databases should also be carried out for holders of long-stay visas and residence permits.

However, in order to provide appropriate guarantees, Members specified which controls should be carried out. They also specified the specific measures following each hit, both to protect third-country nationals and to ensure the confidentiality of information.

Any hit resulting from the queries which cannot automatically be confirmed by VIS shall be manually verified by the national single point of contact. Depending on the type of data triggering the hit, the hit should be assessed either by consulates or by a national single point of contact, with the latter being responsible for hits generated in particular bylaw enforcement databases or systems.

Each Member State shall designate a national authority, operational 24 hours a day, 7 days a week, which shall ensure the relevant manual verifications and assessment of hits for the purposes of this Regulation.

Entry into force

Members proposed enhancing reporting mechanisms and setting a deadline of a maximum of two years to have this reformed VIS up and running.

Opinion of the European Data Protection Supervisor (EDPS) on the proposal for a new Regulation on the Visa Information System.

In order to enhance security and improve the EU external borders management, the Commission adopted a Proposal which would upgrade the Visa Information System (‘VIS’), the EU centralised database that contains information about persons applying for a Schengen visa.

In particular, the proposal provides for (a) the lowering of the fingerprint age for child applicants for a short stay visa from 12 years to 6 years; (b) the centralisation at EU level of data related to all holders of long stay visas and residence permits; and (c) the cross-check of visa applications against other EU information systems in the area of freedom, security and justice.

The EDPS made the following recommendations

Sensitive data

The EDPS stresses that biometric data such as fingerprints are highly sensitive. Their collection and use should be subject to a strict necessity analysis before deciding to store them in a database where a large number of persons will have their personal data processed.

Prevention against children right's abuses

The EDPS notes that it remains unclear whether or to what extent the child trafficking is rooted in or amplified by the mis- or non-identification of children entering the EU territory on the basis of a visa. Should further elements be provided in support of this claim, the EDPS stresses the importance to ensure that fingerprints of the children will be used only when it is in the best interest of the child in a specific case.

The EDPS recommends to introduce in the proposal a specific provision on the fingerprints of children to limit their processing to the purposes of:

- verifying the child's identity in the visa application procedure and at the external borders;

- contributing to the prevention and fight against children's right abuse only in a specific case.

In particular as regards the access by law enforcement authorities, the EDPS recommends to ensure that:

- such access must be necessary for the purpose of the prevention, detection or investigation of a child trafficking case;

- access is necessary in a specific case;

- a prior search in the relevant national databases and in the specific systems at Union level has been unsuccessful;

- reasonable grounds exist to consider that the consultation of the VIS will substantially contribute to the prevention, detection or investigation of the child trafficking case in question;

- the identification is in the best interest of the child.

Data recording in the VIS

By recording data on all holders of long-stay visas and residence permits in the VIS, the proposal would contribute, in the context of the proposal for interoperability of large-scale EU systems, to the creation of a centralised European network providing access to a considerable amount of information on all third-country nationals who have crossed or are considering crossing EU borders (i.e. millions of people).

In this context, the EDPS considers that the harmonisation of secure documents should be further examined and that the data stored in the VIS should be limited to persons whose long-stay visa or residence permit has been refused for security reasons.

Comparisons of data

The proposal provides for the comparison of data stored in the VIS with data stored in other systems built and used so far for purposes other than migration. In particular, the data of visa applicants would be compared with data collected and stored for police and judicial cooperation purposes.

The EDPS recommends:

- to clarify in the proposal the purpose of the comparison of the VIS data with Europol data, as well as the procedure and conditions applicable as regards the outcome of such comparison;

- to ensure that only alerts that are legally part of the visa issuance decision-making process would produce a hit accessible by visa authorities.

Other recommendations

The EDPS made additional recommendations related to the following aspects of the proposals: (i) categories of VIS data compared with data recorded in other systems; (ii) specific categories of visa applicants; (iii) definition of central authorities; (iv) use of VIS data to enter a SIS alert on missing persons; (v) verifications in case of a hit; (vi) access for law enforcement purposes; (vii) statistics; (viii) use of anonymised data for testing purposes; (ix) data quality monitoring; (x) supervision of the VIS.