On 11 December 2023, the CNIL called to order the Ministry of the Interior and Overseas France and the Ministry of Europe and Foreign Affairs for their poor management of French systems relating to visa applications in the Schengen area.
The European Visa Information System (VIS) centralises data on visa applicants and applications for the Schengen area. It is used by the French authorities to examine short-stay visa applications and decisions to refuse, extend, cancel or withdraw visas, as well as to check visas and visa applicants or holders.
The European Schengen Information System (Schengen file) is a European file in which persons wanted for arrest or extradition or in connection with criminal proceedings, missing persons and certain persons banned from entering the country are entered.
In France, the national portal for accessing VIS data comprises a central system and 157 local copies in the various French consular posts. It also enables the Schengen database to be queried when a visa application is submitted.
In application of European regulations specific to Schengen information systems, national authorities must audit their national systems every four years. It was in this context that the CNIL took the initiative of carrying out checks.
On the basis of the findings made during the various inspections, the select committee – the CNIL body responsible for imposing penalties – considered that the ministries had breached European regulations and the Data Protection Act. It issued a call to order, which it has decided to make public.
The law does not allow the CNIL to impose fines on the State. However, the CNIL can take a number of other corrective measures against the State: a formal notice, a call to order, or an injunction to comply or to respond to a request to exercise a person’s rights. In addition, it may make its decision public in order to alert the public to the seriousness of a situation.
Illicit copies and inaccurate data
The select committee noted that the French portal operated on the basis of an extraction from the national copy of the Schengen file, which was duplicated both in the central system and in the local copies of the consular posts.
However, the European regulation prohibits Member States from creating copies of their national database, whereas the French authorities are directly connected to the European system. In addition, the use of these copies leads in practice to a problem of inaccurate data. In fact, several synchronisation problems have been noted between the European systems and the French files, as well as data discrepancies between the central French system and the local databases of the consular posts.
The select committee concluded that the ministries had failed to meet their obligations under article 4 of the Data Protection Act by making national copies of the data and processing inaccurate data.
A system that is now compliant
The select committee noted that the ministries had put an end to the breaches observed by dismantling the national portal and replacing it in May 2023 with a compliant system, the France-Visas application.
https://www.cnil.fr/fr/gestion-des-visas-dans-lespace-schengen-la-cnil-sanctionne-deux-ministeres