Commission defends Breton's Atos over police data
-
The UK made numerous copies, both partial and full, of an EU police database (Photo: Tirza van Dijk)
The European Commission has spoken out in defence of the French IT firm Atos for hosting EU police data on behalf of the UK - contradicting its own public guidelines and a separate internal report that says it should not be done.
The issue is sensitive because Thierry Breton, who was until this weekend CEO of the company, is set to become the European commissioner for industrial policy.
Join EUobserver today
Become an expert on Europe
Get instant access to all articles — and 20 years of archives. 14-day free trial.
Choose your plan
... or subscribe as a group
Already a member?
"It is not prohibited by EU law to make use of private companies when it comes to IT services and the maintenance of IT systems," Natasha Bertaud, a spokesperson for the European Commission, said on Tuesday (5 November).
She then repeated a statement by the company, confirming it does indeed host the police data in a secure room. Atos says it has no access to the data.
The data comes from an EU database known as the Schengen Information System or SIS for short, used by police to track down undocumented migrants, missing people, stolen property, or suspected criminals.
But a confidential document drafted by the European Commission and obtained by EUobserver specifically says private contractors should not be entrusted with SIS.
"Entrusting the management of the SIS technical copies to private contractors poses increased risks in terms of physical and logical data security," notes the document.
The report was written following spot checks at various sites in the UK by a team of Schengen experts and the European Commission in November 2017.
The document signals out Atos and US-parented companies IBM and CGI as culprits.
Atos hosts a partial technical copy of SIS managed by IBM.
But the copy only checks passenger information against non-flagged alerts for arrest, which is in itself against EU rules - specifically articles dealing with technical compliance, right to access alerts, and the processing of SIS data.
Commission's public guidelines
EU rules on operating SIS requires member states to ensure the data is properly maintained, updated and deleted.
Furthermore, the European Commission's own public recommendations clearly state that "neither the operational management of N.SIS II or any technical copies should be entrusted to third parties."
But the UK has ignored those rules and proceeded to make partial and full copies which it then dispersed across various sites, posing huge questions on how it is able to synchronise the data.
The European Commission on Tuesday appears to have ignored those same recommendations as well.