Plans by several European Union (EU) members states to establish a system for sharing police data have drawn criticism from the region's data protection watchdog.
European Data Protection Supervisor (EDPS) Peter Hustinx warns that the proposal, in its current form, still lacks safeguards to ensure sufficient data protection for the public.
"The proposal is very open on crucial points," Hustinx said. "We need a framework of common rules before we can move ahead."
Under the system, known as the Treaty of Prum after the German town where the accord was signed by seven EU member states in 2005, participating nations allow mutual and automatic access to databases containing DNA and fingerprint records, as well as car registration and other personal information. For instance, police can run database searches on suspected individuals and retrieve information within minutes.
Support for the security measure has grown as EU member states worry about international terrorism, organised crime and illegal immigration.
While Hustinx is not opposed to the exchange of DNA and fingerprint data per se, he is concerned about a lack of specific rules governing the use of an EU-wide system for sharing personal information.
The proposal, he said, doesn't specify "the categories of people" to be contained in DNA databases – whether, for instance, only convicted individuals should be included or also people with a police record or even a much broader group.
Nor does the proposal define the period for retaining information or a process for amending it, he added.
One of Hustinx's main concerns is complexity. It's one thing to launch a data-sharing plan with a small number of countries that have "a rather high level of expertise with both DNA databases and data protection," but it's something completely different when 27 countries are involved, Hustinx said. "That's a quantum step."
Germany and Austria are currently testing the police database exchange, with Belgium, France, Luxemburg, the Netherlands and Spain to follow. In all, 15 EU member states have so far agreed to join, including a few new members from Eastern Europe.
"I'm not so sure whether all the countries involved have the same level of protection to make the scheme workable," Hustinx said. "We need a level playing field in terms of safeguards."
Without these, the proposal would diminish not only "legal protection" for EU citizens but also "the efficiency of law enforcement" and could lead to endless litigation, he warned.
Hustinx's office has issued a document to EU governments with recommendations for usage rules that would ensure data protection without requiring modifications to the information exchange system. For example, he wants a rule that specifies who is included in the database search. He also wants a rule that says how long data should be retained.
Germany, which currently holds the EU's rotating presidency, hopes to have an agreement by all 27 member states by the end of June.