THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 87(2)(a) thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee(1),

Having regard to the opinion of the Committee of the Regions(2),

Acting in accordance with the ordinary legislative procedure(3),

Whereas:

(1) The European Image Archiving System on False and Authentic Documents Online (FADO) was established by Council Joint Action 98/700/JHA(4) within the General Secretariat of the Council. The FADO system was set up to facilitate the exchange of information on authentic documents and on known methods of falsification between Member State authorities. The FADO system provides for the electronic storage, rapid exchange and validation of information on authentic and false documents. Given that the detection of false documents is also important for citizens, organisations and businesses, the General Secretariat of the Council also made authentic documents available in a Public Register of Authentic Travel and Identity Documents Online, known as PRADO.

(2) Due to the fact that the management of the FADO system is outdated and should be adapted to the institutional framework established by the Treaty on the Functioning of the European Union (TFEU), Joint Action 98/700/JHA should be repealed and replaced by a new, updated instrument.

(3) This Regulation constitutes the necessary new legal basis for governing the FADO system.

(4) Document fraud can ultimately undermine the internal security of the Union. The use of the FADO system as an electronic storage system describing possible detection points, both in authentic and false documents, is an important tool in the fight against document fraud, in particular at the external borders. Given that the FADO system contributes to maintaining a high level of security within the Union by supporting police, border guard and other law enforcement authorities of the Member States in the fight against document fraud, the FADO system constitutes an important tool for the application of the Schengen acquis.

(5) While false documents and identity fraud are often detected at the external borders, the fight against false documents is an area covered by police cooperation. False documents are pseudo documents, documents that have been forged and documents that have been counterfeited. The use of false documents in the Union has significantly increased in recent years. Document and identity fraud entails the production and use of false documents and the use of authentic documents obtained by fraudulent means. False documents are a multi-purpose criminal tool because they can be used repeatedly to support different criminal activities, including money laundering and terrorism. The techniques used to produce false documents have become increasingly sophisticated and, as a result, it is necessary to have high-quality information on possible detection points, in particular security features and fraud characteristics, and update that information frequently.

(6) The FADO system should contain information on all types of authentic travel, identity, residence and civil status documents, driving licences and vehicle licences issued by Member States, on the laissez-passer issued by the Union and on false versions of such documents in their possession. It should be possible for the FADO system to contain information on other related official documents, in particular those used in support of applications for official documents, issued by Member States, and on false versions thereof. It should also be possible for the FADO system to contain information on all types of authentic travel, identity, residence and civil status documents, driving licences and vehicle licences and on other related official documents, in particular those used in support of applications for official documents, issued by third parties, such as third countries, territorial entities, international organisations and other entities subject to international law, and on false versions thereof.

(7) Personal data in the FADO system should only be processed to the extent strictly necessary for the purpose of operating the FADO system. As a direct consequence of the purpose for which the FADO system was created, only limited information related to an identified or identifiable person should be stored in the FADO system. The FADO system should contain personal data in the form of facial images or alphanumerical information only insofar as they are related to security features or the method of falsification of a document. It should be possible to store such limited personal data either in the form of different elements appearing in the specimens of authentic documents or in the form of pseudonymised data in authentic or false documents. The European Border and Coast Guard Agency (the ‘Agency’), governed by Regulation (EU) 2019/1896 of the European Parliament and of the Council(5), should take the necessary steps to pseudonymise all elements of personal data which are not necessary in relation to the purposes for which the data are processed in accordance with the principle of data minimisation. It should not be possible to search for any elements of personal data in the FADO system nor should it be possible to identify any natural person by means of the FADO system without using additional data. The FADO system should not be used to identify a natural person.

(8) Any processing of personal data by Member States in the context of this Regulation should be in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council(6) or Directive (EU) 2016/680 of the European Parliament and of the Council(7), as applicable.

(9) While Member States are able to maintain or develop their own national systems containing information on authentic and false documents, they should be obliged to provide the Agency with information on authentic documents which they issue, including on the security features thereof, and on false versions of such documents in their possession. The Agency should enter that information in the FADO system and guarantee the uniformity and quality of the information.

(10) The Union issues laissez-passer to members of the Union institutions, bodies, offices and agencies and servants of the Union to be used for service purposes in accordance with Council Regulation (EU) No 1417/2013(8). The Union should be obliged to provide the Agency with information on such authentic documents and the security features thereof.

(11) Different stakeholders, including the general public, should be provided with different levels of access to the FADO system depending on their needs and the sensitivity of the data concerned.

(12) In order to ensure that Member States control document fraud to a high level, the Member State authorities competent in the area of document fraud, such as police, border guard and other law enforcement authorities and other relevant national authorities, should be provided, on a need-to-know basis, with different levels of access to the FADO system depending on their needs. Member States should determine which competent authorities are to be provided with access and the level of access with which they are to be provided. The Commission and the Agency should also determine which of their administrative units are competent to access the FADO system. The FADO system should enable users to have at their disposal information on any new methods of falsification that are detected and on new authentic documents that are in circulation, depending on their access rights.

(13) Over the past years, the Agency has developed expertise in the area of document fraud. Synergies should therefore be enhanced by leveraging the Agency’s expertise in order to benefit the Member States in that area. The Agency should take over and operate the FADO system as provided for in Regulation (EU) 2019/1896. That take over should not affect those actors which already have access to the FADO system, namely the Commission, the Agency, the European Union Agency for Law Enforcement Cooperation, established by Regulation (EU) 2016/794 of the European Parliament and of the Council(9), the Member States and the general public. After the Agency takes over the FADO system, it should provide the Member States with support in the detection of false documents. Additionally, and where appropriate, the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice, established by Regulation (EU) 2018/1726 of the European Parliament and of the Council(10), may provide technical support to the Agency in accordance with Regulation (EU) 2019/1896.

(14) It should be ensured that, during the transitional period, the FADO system remains fully operational until the transfer has been effectively carried out and the existing information has been transferred to the new system. The ownership of the existing data should then be transferred to the Agency.

(15) This Regulation does not affect the competence of Member States in relation to the recognition of passports, travel documents, visas or other identity documents.

(16) In order to allow Union institutions, bodies, offices and agencies other than the Commission and the Agency, third parties, such as third countries, territorial entities, international organisations and other entities subject to international law, or private entities, such as airlines and other carriers, to access information in the FADO system, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission in respect of establishing measures granting access in a limited manner to the FADO system to those Union institutions, bodies, offices and agencies, third parties and private entities. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making(11). In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

(17) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission with regard to the technical architecture of the FADO system, the establishment of the technical specifications, the procedures for controlling and verifying information and the determination of the date of the effective implementation of the FADO system by the Agency. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and the Council(12).

(18) In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union (TEU) and to the TFEU, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application. Given that this Regulation builds upon the Schengen acquis, Denmark shall, in accordance with Article 4 of that Protocol, decide within a period of six months after the Council has decided on this Regulation whether it will implement it in its national law.

(19) Ireland is taking part in this Regulation, in accordance with Article 5(1) of Protocol No 19 on the Schengen acquis integrated into the framework of the European Union, annexed to the TEU and to the TFEU and Article 6(2) of Council Decision 2002/192/EC(13).

(20) As regards Iceland and Norway, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the latters’ association with the implementation, application and development of the Schengen acquis (14), which fall within the area referred to in Article 1, point H, of Council Decision 1999/437/EC(15).

(21) As regards Switzerland, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (16), which fall within the area referred to in Article 1, point H, of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2008/149/JHA(17).

(22) As regards Liechtenstein, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (18), which fall within the area referred to in Article 1, point H, of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/349/EU(19).

(23) The European Data Protection Supervisor was consulted in accordance with point (d) of Article 46 of Regulation (EC) No 45/2001 of the European Parliament and of the Council(20) and delivered an opinion on 3 December 2018,

HAVE ADOPTED THIS REGULATION: