Mo’databases, mo’problems? The EU’s new interoperability systems and enhanced policing of third country nationals


Alyna C. Smith and Michele LeVoy, PICUM



In May 2019, the line between criminal law and immigration was further blurred when two regulations were adopted by the EU to create a framework of interoperability for EU information systems in the areas of justice and home affairs. Indeed, this framework was conceived of as building on “synergies” between Europe’s agendas on security and migration, respectively, with the aim of strengthening concurrently border management and law enforcement responses to terrorism and serious crime. This comingling of agendas is now reflected in a comingling of information systems that have arisen at different times and for different purposes, but which are today joined under a common and explicit security agenda.

The new interoperability framework thus reinforces the link between irregular status and criminality and is a further embodiment of an approach to irregular migration grounded in a criminal justice model of deterrence that skirts the broader systemic causes of irregularity. The creation of these vast information systems that pool for future law enforcement uses the personal data of asylum seekers, visa applicants, and people with criminal convictions, among others, sits uneasily alongside the EU’s longstanding recognition of the protection of personal data as a fundamental right. Experience shows that breach of this right has knock-on effects for other fundamental rights. We have good reason to believe, then, that interoperability will succeed in achieving deterrence – not of people’s decisions to live and work in Europe, but rather of their decision to reach out for help when they are mistreated, or to access the most basic of services when they are in need. Amid the swirl of legal and technical complexity, what seems certain is that these new systems will deepen mistrust and reinforce insecurity for an already marginalised segment of European society.

A further blurring of the line between criminal law and immigration law

Interoperability brings “crimmigration” into the digital age, creating vast repositories of data gathered from non-EU citizens to support both immigration and law enforcement goals. The interoperability regulations represent a new frontier in the encroachment of criminal law into to what is, essentially, a matter of administrative categories. The disproportionality of a criminal justice approach to immigration law – characterized by myriad quasi-criminal and criminal penalties, including deprivation of liberty (detention), and the criminalisation of irregular entry or stay in many member states – is fully embodied in these regulations.

The purported needs they address are the (unsubstantiated claim of) widespread use of false documents and the supposed crisis of irregular entry and stay, as well as drive to increase the rate of deportations. The response is the construction of enormous databases – the Common Identify Repository, for instance, will store up to 300 million records – that massively increase the risk of error and duplication, all to provide national police some additional information to do more of what they are already doing. 

EU officials have repeatedly emphasized that interoperability does not create new access rights for end users; law and border enforcement actors will not have the right to access any personal data they didn’t have the right to access before. It simply improves the efficiency of their access and improves their decision-making.

But this – questionable – boost in efficiency is surely minor compared to the monstrous risk of rights violations these new interoperability systems create. It is notable that the new regulations were passed despite significant concerns about their implications for fundamental rights – and in particular their necessity and proportionality – by a variety of different bodies including the European Data Protection Supervisor and the EU Agency for Fundamental Rights (FRA).

There is the further practical and legal challenge that the blurring of these lines creates uncertainty about the applicable legal framework. Is it the EU General Data Protection Regulation (GDPR) that defines rights and obligations in any given case – or is it the Law Enforcement Directive, which specifically addresses rights and obligations that apply to the protection of personal data in the criminal justice context? This is not a purely theoretic question: it bears directly on the rules that apply to the police, and clarity about where there is a breach of those rules that would allow access to a remedy.

In tension with the EU’s leadership on data protection

The fundamental right most obviously implicated by the new interoperability regulations is the right to the protection of personal data, guaranteed under Article 8 of the EU’s Charter of Fundamental Rights. It is especially striking then that they were adopted almost exactly one year after the adoption of another EU regulation: the GDPR, the gold standard internationally for the protection of personal data. Consistent with the character of data protection as a fundamental right, the GDPR is applicable to all data subjects; it makes no distinction between EU citizens and non-citizens. It is hard not to see these developments, just one year apart, as profoundly incoherent and contradictory.

Grounding the interoperability regulations in a security rationale no doubt eased, for policymakers, the work of justifying the scale of likely rights infringement – particularly as they are (for now) limited to the rights of non-citizens. But what is the justification for that security rationale absorbing wholesale the EU’s IT infrastructure for migration management? The progressive convergence over decades between immigration enforcement and law enforcement agendas for some makes this seem only natural – but its clear incompatibility with the EU’s fundamental rights framework, including its recent legislation on data protection, should speak clearly to its deeply discriminatory nature.  

Putting at risk additional fundamental rights

Beyond Article 8 of the Charter, the new regulations implicate additional fundamental rights – like Article 21, which prohibits discrimination, and Article 47, which guarantees the right to an effective remedy. The latter provision seems especially relevant given the opacity of these regulations, and the likelihood that the people whose data is concerned are certain to struggle to understand how their data is used, what to do if their rights are infringed, and to whom to turn for a remedy.

The new regulations also need to be understood against the backdrop of existing realities. People who are undocumented face an ever-present risk of apprehension and deportation – including when they try to access health care in some member states, or when they try to report mistreatment they have endured. Knowledge that their personal data is being pooled in these massive systems risks deepening the sense of being perpetually policed. The consequence is increased fear and mistrust of authorities as well as service providers, and retreat from support structures, which means deepened social exclusion with real effects on individuals’ and communities’ safety and wellbeing.

The complexity of the new regulations and of the information systems they concern is surely only a shadow of the complexity of their pending implementation. Given that the driving need for these new systems was more assumed than empirically demonstrated, it is unclear how much the new systems will in fact change existing practice. It remains to be seen then whether interoperability will promote achievement of the EU’s goals of increased apprehensions and return – but it will almost assuredly foster deepened social exclusion of people with insecure status, with consequent diminishment of their safety and security. In short, the growing convergence of Europe’s migration and security agendas means an increasing divergence from our fundamental rights framework.