Nothing new under the sun? Interoperability of EU justice and home databases


Kees Groenendijk
Professor Emeritus, Centre for Migration Law, Radboud University of Nijmegen


One of the main and more surprising messages voiced by the European Commission regarding the two interoperability regulations (Regulation 2019/817 and Regulation 2019/818) is twofold: first, interoperability does not chance much; and second, any changes relate to third country nationals (TCNs), not to Union citizens. A certain contradiction between these two elements is however apparent, unless the message may be understood to mean: ‘do not bother about the changes because they will only apply to foreigners’. But taken separately, their correctness is in my view subject to serious doubts as well, which I critically explore in this contribution.

Are TCNs, and not EU citizens, the only ones concerned?

Thedifference between EU citizens and TCNs was repeatedly pointed out during the Task Force discussions. Only TCNs will be concerned and affected by interoperability. EU citizens will not be bothered and, hence, there is no reason for them to worry. The underlying message was therefore: they are concerned, not us. Such a statement apparently disregards or forgets four main issues:

First, it was the explicit intention of the Union legislator that interoperability should facilitate identity checks not only at the EU external borders, but also inside the Member States’ territory. This can be expected to result in more internal controls. Considering the past experiences with such internal checks in Member States, both TCNs and EU nationals of immigrant origin perceived to be TCNs will be the primary targets of such controls.

Second, the data on EU family members of TCNs (their ‘sponsors’) is registered in the Visa Information System (VIS).

Third, as the Meijers Committee has underlined, personal data of Union citizens having the nationality of a third country (dual nationals) will be registered in ECRIS-TCN (Article 2 of Regulation 2019/816). Interoperability will expand the effects of those Union citizens dealt with as TCNs. Confronted with the indirect discriminatory effects of this provision, an EU official participating in the Task Force replied that dual nationals in fact discriminate against those of ‘us’ who have only one EU nationality. This reply disregarded that discrimination supposes treating a person less favourable on ground of his or her ethnic origin. Moreover, having two nationalities may result in additional rights, but also in more obligations and risks, such as being treated as a second-class citizen.

Fourth, many TCNs living or temporarily staying in the EU have EU national family members who will be concerned by checks, decisions and other negative effects of the use of the new possibilities created by the Interoperability Regulations. This was confirmed by a Task Force participant working for an NGO providing a daily telephone helpdesk for EU citizens experiencing problems when using their free movement rights under Union law.

What about refugees?

Interoperability will have profound implications for refugees who have specific international protection needs. For many refugees the fear that authorities in their country of origin will get information on their asylum request is a major concern, considering possible far-reaching negative effects for remaining family members and for the long-term negative effects on the refugee’s chances of return to that country. Hence, the rules on transfer of information to third countries appeared a relevant open issue.

Article 50 of Regulation 2019/818 provides that no data will be transferred to third countries. However, this same provision refers to exceptions for data transfers in seven other regulations covering different EU databases. The conditions in the relevant provisions of those seven regulations vary. Whether information may be transferred to third country authorities depends among others on agreements and arrangements concluded by the Commission, Frontex or Europol with those countries. How will a Turkish asylum seeker or his lawyer be able to establish whether his personal data may be transferred to Turkey, and estimate the risk that this data is transferred indirectly or informally to Turkish authorities? The black letter law is already complex, and the practise may differ from ‘the law in the books’.

I was told by a Member of the European Parliament that Bulgarian and Frontex officials exchange data at the Bulgarian-Turkish border, and that Turkish officials are working in the same building. Who can guarantee that the behaviour of all officials involved will be in conformity with the rules envisaged in all the relevant EU regulations in practice? According to the official monitoring body of the Dutch intelligence agencies in two reports published in 2019, those agencies paid insufficient attention to the possible harm to third-country nationals of the exchange of information with non-EU agencies. Moreover, these same agencies did not always comply with the procedural rules or requested the required permission by the responsible minister for the transfer of information to third country agencies. I am afraid that similar irregular situations could occur in other member states as well.

Hardly any serious changes…

During the Task Force several participants stated that interoperability between the existing data systems would produce very little or almost no changes in comparison to the current state of play. “There is no reason to worry”, was their explicit or implicit conclusion. However, why did the EU legislator considered it necessary to make two new Regulations together covering 109 pages in the EU’s Official Journal, and requiring an estimated budget of more than €400 million Euros over the next nine years, if nothing would really change?

The legislative complexity of the two Regulation is simply overwhelming. Regulation 2019/817 covers 58 pages in the Official Journal, has 84 preambles and 78 (long and detailed) articles. Regulation 2019/818 covers 51 pages in the OJ, has 80 preambles and 75 articles. The directives together change ten related other EU instruments. How many practising lawyers will ever read the preambles to understand the meaning of the articles? A German colleague labelled the two Interoperability Regulations, and their relation with the separate regulations on each of the six EU data systems (Eurodac, SIS, VIS, EES, ETIAS and ECRIS-TCN), as ‘ein gesetzgeberischer Alptraum’ (i.e. a legislative nightmare).

No serious evaluation of the current use of immigration databases by criminal law authorities

The two original grounds for the new Interoperability Regulations were better and quicker access by border guards and police authorities to the information stored in all EU JHA data systems and solving problems with people having ‘multiple identities’. As regards the first official justification, the Commission has not provided any reliable evidence as to the actual uses by police or criminal law authorities and the results of their access to data in EU immigration databases. In the absence of that evidence, it is hardly possible to judge whether the new instruments, such as the Common Identity Repository (CIR), established by the Interoperability Regulations will really solve any practical challenges or improve the current situation.

According to data published by eu-LISA, from October 2015 until the end of September 2017 seven Member States and Switzerland reported having used the VIS for the purpose of prevention, detection and investigation of terrorist offences and other serious criminal offences. In total almost 28,000 searches by law enforcement authorities were performed by Finland, France, Germany, Greece, Hungary, the Netherlands, Spain and Switzerland during those two years. Over 46 % of all the searches were executed by France, followed by Germany, with 19 %, and Switzerland, with 18 % of the total. During the reporting period 785 urgent searches pursuant to Article 4(2) of the VIS Decision were performed, 91 % by Spain and 9 % by Germany. The eu-LISA report does not provide any data on the kind of criminal cases in respect of which information was requested, nor on the usefulness of the information received from VIS or on the outcome of member states’ action on the basis of that information.

From the three annual reports on Eurodac for 2016-2018 published also by eu-LISA it appears that the total number of searches in Eurodac for criminal law purposes increased from 326 in 2016 to 550 in 2017 and decreased to 296 in 2018. Almost 90% of all searches for this purpose were performed by two member states (Germany and Austria). Only eight other member states ever searched Eurodac for criminal law purposes. Most of those eight member states produced one or two hits per year. In 2018 the 296 searches produced 195 ‘hits’.

Apparently, several member states do not comply with the central data protection rule of Article 20(1) of the Eurodac Regulation, obliging authorities to first check national databases before making a check in Eurodac. A quarter of all hits were so-called ‘local hits’, since the search produced data registered in Eurodac by the same member state conducting the search. The data should have been available in the national systems.

Europol was connected to Eurodac in June 2017 and performed a total of 114 in the second half of that year. In the whole of 2018 Europol performed only 10 searches in Eurodac. Possibly Europol’s experience with the usefulness of the hits in the previous six months was not that positive. The annual reports do not provide any information on the actual effects of the ‘hits’ in the criminal law process in member states.

Why are VIS and Eurodac data used by a few member states only? Why was the use of Eurodac data for criminal law purposes by member states and Europol diminishing in 2018? Will interoperability actually reduce or take away the barriers for use of Eurodac and other immigration databases for criminal law purposes? The access and risks associated with that access can be hardly justified in the absence of any evidence on the actual effects of access to Eurodac data for criminal law purposes, and considering the very large number of persons whose (biometric) personal data are stored in the EU immigration law databases.

Built-in asymmetry

The contribution by Sergio Carrera to this Blog Forum points out to an asymmetry in access to interoperable data by EU data citizens: easy, wider and quick access for authorities, and difficult, fragmented and slow access for persons – irrespective of their migration status – whose personal data are registered, processed and transferred. According to the above-mentioned Eurodac annual reports for 2016-2018, the total number of requests by TCNs for access to their own data varied between 100 and 170 per year. More than 75% of all requests in those three years came from France and Malta. Apparently, the accessibility, expertise and activities of the national authorities largely determine the actual use of this right.

This asymmetry also exists with regard to financing. According to the Explanatory Memorandum accompanying the Interoperability proposal, a total budget of €425 million Euros has been estimated for the first nine years – mostly (€225 million) for euLisa and the other €200 million Euros for member states, Europol, Frontex, CEPOL and the Directorate General (DG) Home Affairs of the Commission. No (earmarked) money has been foreseen for the national data protection supervisory authorities who are already overburdened and understaffed. They will also acquire new tasks in the two new Interoperability regulations. These are clear indications of which provisions in the regulations are taken more seriously in Brussels and in member states’ capitals, and which ones are not.

A Task Force participant working with a national data protection supervisory authority in a member state told me that her supervisory body was completely overburdened with monitoring the application of the 2016 General Data Protection Regulation (GDPR), and did not have any time for any additional monitoring tasks. Article 51(4) of both Interoperability Regulations provides that member states shall ensure that their supervisory authorities have sufficient resources and expertise to fulfil the new tasks entrusted to them. That was a cheap solution for the EU and will not be of much use to the individuals concerned in most member states.

The length of the legislation and the level of expected costs indicate that interoperability implies major changes. These changes will produce serious risks both for third-country nationals and EU citizens. Whether the adopted system will really contribute to solving the problems of immigration, police or criminal justice authorities, which were given as the reasons to embark on interoperability, is unclear due to lack of reliable data.