AEDH

Entry/exit system: “Smart borders” that neglect the personal data protection

This post is also available in: frFrançais (French)

In 2011, the European Commission launched a “smart borders” policy to improve border security in the European Union. This includes the use of automated border controls (ABC)[1]. Among these automated border control systems, there are four main information systems; SIS, Eurodac, ETIAS and EES[2]. The latter, EES, will replace the current manual system of “stamping of passports” and whose entry is scheduled for 2020, will be analyzed here.

Functioning

The EES system will apply to non-Europeans traveling within the Schengen area, including those who need a visa and to those who are exempt. The system records and stores personal data: names and surnames, but also date, time and place of entry or exit of third-country nationals, travel documents, biometric data (facial image and fingerprints). This system calculates the duration of their authorised stay and alerts Member States when the authorized stay has expired[3].

Objectives

The main objectives of this entry/exit system are to improve and reinforce border control of non-residents traveling to the EU, and decrease the number of people who overstay and improve the fight against terrorism[4].

What problems does this system raise?

First, the issue of data retention is problematic. Data from third country nationals who have respected the authorized length of stay will have their data kept for three years. The argument put forward to justify such a length of time is that it allows for better border management in order to prevent third-country nationals from registering again in the SEA. This data is also kept for three years for third-country nationals whose entry into the Schengen area for a short period has been refused, and this period is extended to five years for third-country nationals who have who have not exited the territory of the Member States within the authorised period of stay… Thus, for those who visit the Schengen area at least once every three years, their data will be permanently kept.
With regard to the capture of the facial image, the question of necessity arises to the extent that this is already provided for in the VIS framework and that the text wants to establish that these two information systems can work together. The use of biometric data is justified as follows:

The use of biometrics, despite its impact on the privacy of travellers, is justified for two reasons. First, biometrics are a reliable method of identifying third-country nationals who are present on the territory of the Member States but not in possession of travel documents or any other means of identification, a common situation for irregular migrants. Second, biometrics allow for a more reliable matching of entry and exit data of bona fide travellers (…).”[5]

What about the question of proportionality?

The retention period for personal data and the recording of biometric data raises the question of the principle of proportionality and personal data protection, a fundamental right enshrined in Article 8 of the European Charter of Human Rights. The European Data Protection Supervisor (EDPS) recently published a document[6] mentioning several times the need for proportionality with regard to the processing of personal data. To ensure this, EDPS states that : “(…) any new or modified data processing should be clearly defined in the relevant legal instrument and be equally necessary and proportionate in relation to its clearly stated objectives[7], or that “(…) compliance with EU data protection rules goes beyond the principles of data protection by design default, the obligation to apply security measures, etc. and requires that necessity and proportionality of processing are first established”[8].

Therefore, and despite the fact that Tanja Fajon, MEP, S&D Group Vice President and S&D negotiator for the new information system, has mentioned being concerned about the “ultimate purpose of these technologies” which according to her assumes that each passenger for the EU is a potential criminal, the European executive has decided to vote in favour of a system that undermines the protection of personal data. The idea according to which such a lack of data protection in the Schengen acquis is a “fairly important chaos” and that “arguments of reason have been replaced by arguments of misunderstanding and populism“, as expressed by Tanja Fajon, summarizes the situation.

AEDH regrets that no compromise has been found between border control and the protection of personal data and regrets in particular that the proposal of the Social Democrats to reduce the storage time of data to 180 days was not retained.


[1] Pinja Lehtonen & Pami Aalto (2017) Smart and secure borders through automated border control systems in the EU? The views of political stakeholders in the Member States, European Security, 26:2, 207-225

[2] EU information systems, 25/01/2017, European Commission

[3] REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011, Union européenne, 08/11/2017

[4] Legislative train schedule, towards a new policy on migration, entry/exit system (2016 smart borders package), Parlement européen, 2017

[5] REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011, p.11, Union européenne, 08/11/2017

[6] Reflection paper on the interoperability of information systems in the area of freedom, security and justice, European data protection supervisor, 17/11/2017

[7] Reflection paper on the interoperability of information systems in the area of freedom, security and justice, p.3, Superviseur européen de protection des données, 17/11/2017

[8] Reflection paper on the interoperability of information systems in the area of freedom, security and justice, p.12, Superviseur européen de protection des données, 17/11/2017

webmin