hard to predict and thus opens new opportunities for research especially in
Another part of the IMI is an alert mechanism for dangers resulting from
cross-border services. Due to its increased (potential) intrusiveness, this mechan-
ism is perfectly suited as a showcase for the new concept of “privacy-by-de-
In order to limit (and minimize) access to the database, diﬀerent groups
of actors (with access rights speciﬁcally tailored to their respective needs) were
created (I MI actors like competent authorities, coordinator and the Commission;
IMI users like request handlers, allocators, referral handlers and local data
Diﬀerent mechanisms (checklists for the warning criteria,
supervision by national coordinators) were implemented in order to limit data
transmissions to the data relevant to the respective task.
settings within the IMI and the creation of centralized recipient bodies in the
member states shall ensure that alert warnings are only sent to those member
states which are really aﬀected by a danger resulting from cross-border services.
Furthermore, participants are frequently asked to check whether warnings (and
the personal data connected with it) have to remain in the system or whether
they can be deleted; IMI users are warned with on-screen-popups when they are
about to distribute or retrieve sensitive data; IMI users’ data protection aware-
ness shall be raised during the IMI trainee programs as well as by data protection
information and privacy statements on the IMI website.
E. Deﬁcient legal steering of the establishment of
innovative information systems
As show in the previous section the Commission has shown to be aware of data
protection issues during the creation of the IMI, the creation of an adequate legal
(data protection) framework has proven diﬃcult.
It seems remarkable that – unlike the provisions on the SIS – both legal acts
implemented through the IMI (i.e. the Professional Qualiﬁcations Directive
2005/36/EC, Service Directive 2006/123/EC) do not contain any speciﬁc rules
providing a clear and detailed legislative basis for the processing of data through
an internal market information system. Even the creation of an electronic in-
21 EDPS, letter of 27. July 2010, p. 3.
22 COM (2010) 170, p. 8.
23 COM (2010) 170, pp. 8–9.
384 Jens-Peter Schneider
formation exchange system is only stipulated by the services directive. (More)
precise guidelines can only be found in two decisions and one recommendation
issued by the European Commission.
This rather informal step-by-step approach was chosen by the European
Commission in order to ﬁeld test the system ﬁ rst and draft the (legally binding)
rules on its use (which have to be enacted by the EU’s legislative authorities)
later. Actually, an European Commission’s legislative proposal (including propo-
sals to extend the use of the system to other areas of the internal market) is not
to be expected before the summer of 2011.
Even though one has to be aware of the risks which often go along with the
process of legalization (which may hamper innovations without improving the
factual level of data protection),
it is inadvisable to advance innovations in this
privacy-relevant area without any legal safeguards or guidelines. Rather, both
the risks and potential of European information systems have to be taken into
account during their creation.
The European Law on information management and data protection is con-
stantly changing. This dynamic is a major challenge for scholarly work in this
ﬁeld of law. At the same time this dynamic provides rewarding ﬁelds of work as
well as interesting academic perspectives. European law will steer administrative
information management and data protection more successfully than today, only
if the future legislative framework is more coherent and intelligible without
neglecting justiﬁed claims for diﬀerentiations.
It is a key aspect of the research programme of the recently founded
Research Network on EU Administrative Law (ReNeuAl) to support such a reform
by scholarly work not compromised by any institutional or organizational bias.
24 On the partly counterproductive juridiﬁcation of data privacy protection see: Hoﬀmann-
Riem, see supra note 9, pp. 516 et seqq., pp. 526 et seqq.; on the required scopes of
regulation on innovation see: Hoﬀmann-Riem/Schneidern (eds), Rechtswissenschaftliche
Innovationsforschung [“jurisprudential research of innovations”], pp. 389 et seqq.
25 For the complications of the judicial guaranty of innovation responsibility see: Eifert/
Hoﬀmann-Riem (eds), in: Innovationsverantwortung [“responsibility of innovation”], 2009.
26 See: http://www.reneual.eu/.
European Information Systems and Data Protection