This post is also available in: Français (French)
Yesterday, the European Border and Coast Guard, tomorrow the establishment of an Entry/Exit System, the European Union keeps creating new instruments for border management. Facing an important increase of external border crossings, the European Union develops tools to facilitate and accelerate verification process. The European Commission recently presented a revised proposal for a Regulation on the establishment of an Entry-Exit System, an information system storage data (information on identity –including biometric -, nationality, travel documents, education and professional activity and State of entry) concerning entry and exit data (or refusal of entry data) of third country nationals crossing the external borders of the Member States. This tool represents a straight continuation of EU policies on borders, combining stigmatisation of foreigners, with a low level of consideration given to the right to privacy and to the protection of personal data.
Proliferation of information systems on foreigners
“The assimilation of terrorists to foreigners is a serious mistake and does not reflect reality”underlined Gilles de Kerchove, EU Counter-Terrorism Coordinator. Yet, the European texts establishing databases on people crossing external borders of the European Union multiply in order to collect and retain their data, and the budget devoted to it increases. The Internal Security Fund, the instrument for financial support for external borders and common policy have thus resources amounting to 2,760 million euro, including 791 million for developing IT systems, based on existing and/or new IT systems, supporting the management of migration flows across the external borders. It inevitably creates a climate of suspicion towards foreign nationals.
The proposal for the establishment of an Entry-Exit System is just one component of a series of European texts relating to information systems. SIS (for wanting or missing people), VIS (for people with short-stay visa to visit or to transit through the Schengen Area), Eurodac (for people applying for asylum) and the new proposals such as ETIAS (for people coming from visa-exempt third country nationals) and EES reveal the Commission’s dynamics, aiming to multiple tools targeting foreigners. On the pretext that the European Union wants to simplify and speed-up border-crossing, these databases are now also used for security purposes. Far from being insignificant, databases perpetuate defiance and criminalisation of foreigners, now perceived as a threat to security.
These tools are a cause for concern because, apart from the multiplication of European texts, the European institutions modify those already in existence in order to respond to public concern about the terrorist threat, concern often generated by law-enforcement authorities. These evolutions are incompatible with the protection of Human Rights and protection of personal data of foreign nationals.
Change of purpose of tools focused on border management
Over the past few years, the European Commission works towards change of actual tools in order to use them not only to manage borders but also to fight against terrorism. It can be noted that there is an extension of the use of databases to prevention and detection of terrorist offences and serious crime. It is the case for Eurodac since the revision completed in 2013, the 2008 regulation on visa information system (VIS), as well as the second version of the Schengen Information System (SIS II) which have allowed to extend the use of these tools for security policies. Since then, the dual purpose is included from the creation of new tools of border management as evidenced by the Entry-Exit System proposal and the European Travel Information and Authorisation System (ETIAS) proposal.
Regarding multiple purposes, the Eurodac text goes even further by allowing EU-Lisa, the European Agency for the operational management of Large-Scale IT Systems, to use personal data in order to test new technologies. The multiplicity of purposes is extremely detrimental to the protection of personal data. The risk, according to Marie-Christine Vergiat, Member of the European Parliament, is this: “in assimilating border control and fight against criminality, law-enforcement authorities will be able to access information in the same conditions than border-guards, confusing different purposes, denying the principle of necessity and of proportionality and linking migration, criminality and terrorism”.
This risk was also underlined by the EDPS : “Since information systems are built for a specific purpose, with safeguards, security, conditions for access determined by this purpose, granting systematic access for a purpose different from the original one would not only infringe the principle of purpose limitation, but could also make the above mentioned elements inadequate or insufficient”.
A database shall indeed, according to the European law and in order to protect fundamental rights, be established for a clear and precise purpose, it means that a personal data is collected to reach a specific and predefined objective. It is a fundamental right in the protection of personal data to which current texts do not comply. With regards to proportionality, requiring that a tool goes no further than is strictly necessary to achieve their purpose, one could logically question the proportionality of such a dynamic of multiplication of databases. Despite the first purpose of border management, the Schengen Information System permitted the arrest of more than 25,000 between April 2013 and December 2015.
A Larger access to data
The dual purpose is logically combined with a larger access, especially for law-enforcement authorities. This trend is reflected in the Communication of the Commission of 24 November 2005: “In relation to the objective of combating terrorism and crime, the Council now identifies the absence of access by internal security authorities to VIS data as a shortcoming. The same could also be said for all SIS II immigration and EURODAC data. This is now considered by the law enforcement community to be a serious gap in the identification of suspected perpetrators of a serious crime”. It contributes to the criminalisation of foreigners in so far as a simple border-crossing is sufficient reason to allow an easier access to law-enforcement authorities to numerous personal data.
Yet, the EDPS raised an early alert on these evolutions: “The EDPS is aware that the law enforcement agencies are interested in being granted access to the VIS; Council Conclusions in this sense have been adopted on 7 March 2005. As the purpose of the VIS is the improvement of the common visa policy, it should be noted that routine access by law enforcement authorities would not be in accordance with this purpose. While, according to Article 13 of Directive 95/46/EC, such an access could be granted on an ad hoc basis, in specific circumstances and subject to the appropriate safeguards, a systematic access cannot be allowed”.
This extension of authorisation access is particularly disturbing since it concerns not only law-enforcement authorities but sometimes also governmental services (vehicle registration service and SIS II for example).
The change of purpose also includes that Europol officials access databases, as provided by the 2013 Eurodac revision and SIS II. Yet, the Europol Convention provides for the capacity to sign strategic or operational cooperation agreements with third countries or international organisations, what it has done a lot. Personal data of people crossing border are likely to be shared with authorities of numerous countries, which is a serious violation of the protection of their personal data.
Interoperability is the capacity of information systems and the operational processes, for which they provide support, to exchange data and ensure the sharing of information and knowledge. Many databases are interconnected to one another (EES and VIS, SIS II…), it questions one more time the finality and the proportionality of European instruments since their initial purpose was the facilitation of border-crossing.
Extension of targeted people
The extension of targeted people is symptomatic and in a worrying degree. For example, the Eurodac proposal of the Commission of Mai 2016, still under discussion in the Council, provides for a lowering of age from 14 to 6 for people whose data are collected. Data on very young children will be collected and retained in the same way as adults. Yet, as specified by AEDH’s position, minor children should be excluded from the application of these information systems.
Increasing of the retention period
The European texts always integrate longer data retention. For each revision, data retention is extended and modelled on the database with the longest data retention. Thus, the revised proposal of the Commission on an Entry-Exit System provided for data retention of 5 years whereas the 2013 proposal provided for 181 days. Data retention was finally reduced to 3 years by the LIBE Commission of 27th February 2017. Yet, the EDPS underlined in its opinion on Smart Borders of the 13 December 20126 that: “the five years’ retention period of EES data. The EDPS notes that the need for keeping overstayers’ data for five years should be better demonstrated and that a retention period of five years for all personal data stored in the EES appears to be disproportionate”.
Extension of information
Data collected become more numerous and more sensitive. The recording of biometric data has gradually become almost systematic. Whereas biometrics was initially provided by Eurodac and VIS agreements, it was added in the second version of SIS. The EES proposal provides also for biometrics (only ETIAS should not contain biometrics). Yet, this data is particularly sensitive since biometric data is produced by the body of the data subject and therefore allows the identification of the person on the basis of a biological reality. The data designates it and no one else, immutably unlike any other personal data. Generalisation of biometrics for all databases is, therefore, a concerning evolution.
AEDH deplores the fact that, in the name of improving border management, the European institutions choose the “all security” way in considering each border-crossing as a potential threat. This logic contributes to stigmatisation of foreigners now considered as a risk. We start to think along a precautionary line (the precautionary principle comes from environmental law), which justifies the establishment of always more security technologies which are increasingly utilised by national authorities, especially databases which become a tool for anticipation of “risky” behaviour. We cross the line of a paradigm of precaution. The assessment is alarming for the future of the right to privacy and to the protection of personal data.
Chronology of the above-mentioned legislations:
19 June 1990: Convention implementing the Schengen Agreement signed, including the System Information Schengen
11 December 2000: Council Regulation No 2725/2000 of 11 December 2000 concerning the establishment of ’Eurodac’ for the comparison of fingerprints for the effective application of the Dublin Convention.
28 December 2004: Proposal for a Regulation of the European Parliament and of the Council concerning the Visa Information System (VIS) and the exchange of data between the Member States on short stay-visas
20 December 2006: Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second-generation Schengen Information System (SIS II).
9 July 2008: Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between the Member States on short-stay visas (VIS Regulation)
6 April 2016: Regulation of the European Parliament and of the Council establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third country nationals crossing the external borders of the Member States of the European Union and determining the conditions for access to the EES for law enforcement purposes
16 November 2016: Regulation of the European Parliament and of the Council establishing a European Travel Information and Authorisation System (ETIAS)
 The main role of the European Border and Coast Guard is to help provide integrated border management at the external borders. It will ensure the effective management of migration flows and provide a high level of security for the EU.
 Proposal for a Regulation of the European Parliament and of the Council establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third country nationals crossing the external borders of the Member States of the European Union and determining the conditions for access to the EES for law enforcement purposes
 Robert Schuman Foundation, interview with Gilles de Kerchove Coordinator for the fight to counter terrorism, 14/03/2016
 Regulation (EU) No 515/2014 of the European Parliament and of the Council of 16 April 2014 establishing, as part of the Internal Security Fund, the instrument for financial support for external borders and visa and repealing Decision No 574/2007/EC
 Regulation (EU) No 604/2013 of the European Parliament and of the Council of 26 June 2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person
 Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between the Member States on short-stay visas (VIS Regulation)
 Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second-generation Schengen Information System (SIS II)
 Proposal for a Regulation of the European Parliament and of the Council establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 515/2014, (EU) 2016/399, (EU) 2016/794 and (EU) 2016/1624 [doc. 14082/16 FRONT 426 VISA 351 DAPIX 198 CODEC 1586 COMIX 725 – COM(2016) 731 final] Opinion on the application of the Principles of Subsidiarity and Proportionality
 MC Vergiat’s opinion: http://www.eurocitoyenne.fr/sites/default/files/opinion_minoritaire_ees.pdf
 Opinion of the European Data Protection Supervisor on the Proposal for a Council Decision concerning access for consultation of the Visa Information System (VIS) by the authorities of Member States responsible for internal security and by Europol for the purposes of the prevention, detection and investigation of terrorist offences and of other serious criminal offences.https://secure.edps.europa.eu/EDPSWEB/webdav/shared/Documents/Consultation/Opinions/2006/06-01-20_Access_VIS_EN.pdf
 Communication from the Commission to the Council and the European Parliament on improved effectiveness, enhanced interoperability and synergies among European databases in the area of Justice and Home Affairs /* COM/2005/0597 final
 Opinion of the European Data Protection Supervisor on the Proposal for a Council Decision concerning access for consultation of the Visa Information System (VIS) by the authorities of Member States responsible for internal security and by Europol for the purposes of the prevention, detection and investigation of terrorist offences and of other serious criminal offences
 United States, Georgia, United Arab Emirates; Ukraine, Bosnia and Herzegovina, Russia, Turkey…
 Executive Summary of the Opinion of the European Data Protection Supervisor on the second EU Smart Borders package, 21 September 2016
 Sylvia Preuss-Laussinotte, « Bases de données personnelles et politiques de sécurité : une protection illusoire ? », Cultures & Conflits [En ligne], 64 | hiver 2006