Introduction

The importance of safeguarding personal information when using the internet cannot be overstated. In today’s digital age, an increasing number of people are sharing sensitive data digitally, whether it be for personal reasons or for professional ones. 

Unfortunately, this increased activity also plays into the hands of cybercriminals who seek to exploit any vulnerability to pilfer data and use it for nefarious purposes such as fraud, identity theft, or money laundering. It is therefore vital that steps are taken to ensure that any personal data submitted online remains safe and secure from unwanted access.

With the introduction of the ETIAS in 2021, travelers heading to and from Europe with visa-free access to EU Member States must adjust their travel plans. Registered applicants are required to fill out an online form that requires the submission of personal data which is then stored electronically in EU databases. 

This brings up legitimate concerns about the safety and security of this information. In this article, we will go over the details of what data is collected, who has access to it, and how long it is stored in relation to applications for ETIAS authorization.

Accessing Data

Applicants for ETIAS authorization will be required to provide a range of personal data and other information, such as job, travel objectives, health, and criminal records (where appropriate). It is predicted that roughly 95% of applications will be approved without any difficulty. 

On the other hand, those that are rejected may be challenged at an ETIAS National Unit in a participating country. For people outside of the European Union, the request for authorization will go directly to the ETIAS Central Unit which provides 24/7 services. These bodies are responsible for collecting and assessing the data before coming to a decision on whether or not to accept the application.

• ETIAS National Units, designed to be the primary authority responsible for processing applications that fail to meet the criteria. In these cases, they will assess the risk associated with each applicant through manual assessments, and then either endorse or reject their application. Furthermore, this unit will provide detailed information about the appeal process in case a decision is not accepted.

• The ETIAS Central Unit, managed and operated by the European Border and Coast Guard Agency, will serve as a repository for the data and information provided by applicants. Its primary responsibilities include:

1. Ensuring the information recorded and saved is up-to-date and precise.
2. Verifying the identity of an applicant and the data provided in their application.
3. Assessing and modifying particular risk and security factors or indications.
4. Observing the handling of applications with respect to privacy, basic rights, and data security.

Sharing of Data

Once an individual’s information has been properly validated and recorded in the Central Unit, it can be accessed by various security services to compare against their own databases. These agencies include:

• The Schengen Information System (SIS)
• The Entry/Exit System (EES)
• The Visa Information System (VIS)
• Interpol
• Europol
• Eurodac

The European Travel Information and Authorization System (ETIAS) Central Unit’s database is only made accessible to European law enforcement agencies upon meeting particular conditions – such as concerning the investigation, detection, or prevention of criminal or terrorist activities. 

As a way of enhancing internal and external security in the European Union, ETIAS will also develop its own special watch list containing risk indicators that are meant to enhance and bolster the EU’s internal and external security.ETIAS will also have the ability to request additional information from national authorities and third countries if necessary, in order to properly assess the risk posed by an individual traveler. 

Overall, the ETIAS system aims to provide a more efficient and effective way to screen and assess the potential risks associated with non-EU travelers entering the EU, while also streamlining the travel process for low-risk individuals.

Storing Data, Data Security, and Data Retention

The data collected for ETIAS applications is protected and secured in an encrypted computer system located at the ETIAS Central Unit. This ensures that only authorized European law enforcement agencies have access to the applicant’s information, ensuring that it is only used for its intended purpose without any other interventions. To guarantee this level of security, the access provided to these agencies is limited to only the relevant data.

As proposed by the European Commission, ETIAS is designed to follow the Charter of Fundamental Rights and guarantee the highest possible standard of data protection in its implementation. All records collected within the system will be stored with strict adherence to a given expiration period which currently stands at:

• The three-year validity period of the ETIAS authorization, or
• Five years after denial, authorization revocation, or annulment of the ETIAS waiver

Personal data may be stored for an additional three-year period following the expiration of the original agreement, with express consent from the applicant. This extended access is necessary to process any new renewal applications that may come in during this time frame. 

At any point during this three-year extension, applicants have the right to revoke their permission and have their stored data and application forms deleted immediately.

Once the expiration date has been reached – be it mutually agreed upon or pre-set automatically – all the details provided by the applicant will be eliminated from the ETIAS Central Unit’s storage and their original application form shall be wiped out after 7 days.In addition to the right to revoke permission for extended storage, applicants also have the right to access, rectify, erase, or restrict the processing of their personal data. They can do this by contacting the ETIAS Central Unit or EU-Lisa directly.

The ETIAS system is designed to protect the personal data of applicants and ensure that it is processed in accordance with data protection laws. This includes strict measures to prevent unauthorized access to, or use of, personal data. 

Any breach of security that results in unauthorized access to personal data will be promptly reported to the appropriate authorities and the affected individuals will be notified as soon as possible.

Operational Security of the ETIAS System

The European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security, and Justice (EU-Lisa) will be responsible for the operational security of ETIAS. This agency has already been managing major databases such as Schengen Information System (SIS), Eurodac and Visa Information System (VIS). Currently, they are overseeing the development of the ETIAS registration procedure, as well as designing its website and mobile application.

EU-Lisa has developed significant expertise in the development, upkeep, and running of complex IT infrastructures. The organization will train the personnel at the ETIAS Central Unit so as to ensure they are well-versed in the rights of applicants, protecting their data, and utilizing the new system’s functionalities.

In addition to training the personnel at the ETIAS Central Unit, EU-Lisa will also implement robust security measures to protect the system from external threats. These measures may include firewalls, encryption, and regular security audits to ensure the system is secure from cyber-attacks.

EU-Lisa will also work closely with the European Border and Coast Guard Agency (Frontex) and other relevant authorities to ensure that the ETIAS system is integrated smoothly into existing security processes and procedures. This will ensure that the ETIAS system is able to effectively contribute to the overall security of the European Union.