Research Associate, European University Institute
Due to the flexible institutional structure of EU databases (SIS II, VIS, Eurodac, EES, ETIAS, ECRIS-TCN), the storage and exchange of information has become a defining element of European cooperation, which can be accomplished through data gathering and analysis. The fuel for such a process – personal data flows integrated into an interoperable information system – reflects the rights and interests of individuals, in particular of third country nationals whose personal data will be stored and further processed in interoperable ways for multiple purposes.
The various institutions and the practices of the actors involved will shape a system that is not centrally driven or aligned with the previously identified purposes of the different interoperable components and databases. This constitutes a complex and fragmented arena, given the different positions of the European Parliament and the Council during the design of the Interoperability Regulations 817/2019 and 818/2019 as well as the multiplicity of EU and national actors involved. The degrees of complexity and fragmentation of information and legal remedies in the hands of individuals will depend upon different normative regimes of information sharing, inter-agency cooperation and cooperation agreements with third countries. In addition, as the law and technology intertwine in composite ways, interoperability brings to light the real challenges in transposing technical solutions into a feasible legal design.
This Blog argues that the central issue at stake with interoperability is in fact how data will be used, for which ends and by whom, and if these data can be owned or not by data users.
Two possible scenarios seem to open opposite paths for interoperability, depending on how the slippery overlap between the notions of “data user” and “data owner” will be integrated into the system: first, should individuals or state actors and EU agencies own personal data? (See Carrera’s blog in this Forum.) Does this mean that interoperability becomes nothing more than a data transfer with all the consequences in terms of power of non-disclosure and discretion of data originators, according to their capacity to negotiate with interoperable actors the highest amount of data to share?
Although a property right over data may be abstractly useful for offering strong protection to the data subjects of third country nationals, such cases are unlikely in practice. Third country nationals are often obliged to hand over their data even if they only have in mind to apply for a visa or any other permits/authorizations. They have no other choice. A right over property does not add anything as they have no commercial or legal powers vis-à-vis states and agencies.
A model where interoperability would be a data transfer would also assure an advantage for the primacy of the public interest for those authorities that originate data in the information system through single databases at national level. Nonetheless, this picture significantly weakens the rationale of interoperability that primarily aims to foster cooperation among states and agencies for contrasting multiple identities.
Second, should personal data be ‘un-ownable’ by States or EU agencies or by individuals? In this scenario interoperability would be considered as a peer-to-peer framework in which third parties can use data for multiple but limited purposes, whereas individuals – in particular third country nationals – can contrast the fragmentation of their identities through the control of flows of ‘bits and pieces’ of data.
It must be borne in mind that un-ownability is a guarantee also for individuals as their data would be inherent to their personality rights and it would therefore not be necessary to create for them property rights in order to ensure better legal protection. In the EU context, it is not obvious to think in terms of commercial appropriation of personal data, since giving an ‘economic value’ to attributes of personality is considered as being against human dignity. On the contrary, the creation of a property right over personal data may legitimise those trends that use the protection of fundamental rights in only a rhetorical way and not with a real legal purpose. After all, data protection and privacy are clearly recognized as fundamental rights even by Interoperability Regulations.
Based on this premise, the Task Force brought light the fact that addressing ‘identity fraud’ requires personal identity to be built on fragmented pieces of information that are shared, handed over, disaggregated and re-aggregated in a partial and stigmatizing way. This may strongly jeopardise third country nationals’ rights.
This fragmentation reveals an increasing differentiation between ‘data’ and ‘information’, which ultimately may hamper the legal protection of third country nationals, whose own expectations strongly depend upon the need to modernize border management and ensure law enforcement efficiency. The surrounding architecture of data flows also produces clashes between the functioning of interoperable components (e.g. European search portal, shared biometric matching system, multiple-identity detector, common identity repository) and the purpose limitation principle.
In fact, the interplay between security and the lack of transparency in decision-making may raise issues of potential discrimination towards third country nationals, as interoperability in fact affects only these individuals (see Groenendijc’s blog in this Forum). Algorithmic transparency, for instance, appears to be a very controversial and challenging issue that can be pursued only under certain conditions, in order to fulfil efficient and fundamental rights-compliant information sharing.
Nonetheless, data should be as accurate and reliable as possible in order to ensure adequate levels of data quality and accountability. Furthermore, interoperability creates a new interaction with other existing instruments such as the operational data regime and the relevant data protection framework and also raises issues related to safeguarding international protection and fundamental rights protections. How exactly these processes will take effect is at present not clear.
Firstly, it is unclear how the applicability of General Data Protection Regulation (GDPR) to data processing that does not fall under the umbrella of the Law Enforcement Directive has any relevance in practice. Cases in which a single search may give rise to multiple results from all the systems can be expected to create uncertainty and lack of transparency. It would assist law enforcement authorities if they had access to migration and asylum databases through the common identity repository solely in order to identify a person. Secondly, there is an emerging risk of indirect discrimination towards certain groups across society, such as third country nationals, depending upon their treatment as ‘bare data’ and not individuals.
A change of paradigm is therefore necessary. Instead of focusing on the examples showing how third country nationals are discriminated in comparison to EU citizens, the transitioning status of third country nationals could be better addressed in terms of identity construction through forms of additional protection rather than in terms of discriminatory factors. This option would better reflect the transitioning status of their rights, which are strictly connected to the complex and multifaceted re-construction of their electronic identity through the applications and administrative proceedings of various information systems. Their stories are often recorded as a simplistic collection of data to fill out dossiers. However, each life story is much more than a collection of data.
The hypothesis of data un-ownability is particularly fruitful. Data un-ownability would not affect in any case the fundamental rights protection of third country nationals. In other words, it is not the individuals’ ownership of personal data that determines an alternative to the discrimination of third country nationals: data, once it becomes part of an EU database, leaves the unique individual sphere of control in any event. Rather, the fact that third country nationals are equal to other parties in not exercising a property right over their data is the pre-requisite to their equal protection before the law, which is ultimately based on fundamental rights protection under the EU Charter of Fundamental Rights. This distinction seriously entails taking into account that the lives of third country nationals may be neglected due to a false perception of their personal data and, consequently, a lower protection be afforded to their privacy.
The hypothesis that data ownership is not relevant for the protection of fundamental rights provides interesting potentials for how centrally the principle of non-discrimination of third country nationals must be enshrined, in both the legal design and daily practice of interoperable information sharing. Data un-ownability – considering personal data as not alienable – if duly justified in light of the legal categories available, could then become a valuable frame for interoperability, insofar as interoperability could become an instrument to deny the exclusive use of information by originator authorities against peers such as national and EU authorities and third country nationals.
In such a complex configuration of multiple regulatory layers as well as the different interests at stake, interoperability will play a crucial role in reconfiguring a new geo-political order across the EU, which seeks to combine formal tools and informal practices of information sharing.
Counterintuitively, one may think that data belong to those who generate them, either individuals or states. At a first glance, generating data is the first thing that someone can do with information, such as accessing and using it for definite purposes, and sharing, transferring, re-using or erasing it in all subsequent activities. Such a basic notion of ownership lays itself open to being deconstructed as the common use of the term ‘ownership’ is very different from its legal definition.
In terms of effects, data originators who input and share data in an interoperable system could: 1) claim legitimate limits to its access by other interoperable actors as they would have an exclusive ‘access right’ over the data; 2) prevent third country nationals from activating any form of control over their own data, or other possible safeguards, as they would not have resort to national remedies on the basis of citizenship but only through special forms of international protection. Such a conclusion is exactly what interoperability should aim to avoid, even if considered only from the perspective of the ‘Security Union’.