Senior Consultant in the Portuguese Data Protection Authority (CNPD) and Member of the Supervision Coordinated Groups of Eurodac, VIS, CIS and SIS II
The Eurodac information system is a fine example of how data protection principles are bend to accommodate political choices in favour of ‘solutions’ that result in excessive compression of fundamental rights with no solid justification of their need and indispensability.
From being presented as an instrument to effectively implement the EU Dublin Regulation, with a well-defined purpose for collecting asylum seekers’ data, Eurodac has progressively become a police tool for searching ‘unknown suspects’ among international protection applicants based on latent fingerprints retrieved from crime scenes. It has evolved into a database going far beyond its original objective, with structural changes allowing for new functionalities that have converted it from a non-suspect database into a potential criminals’ database.
This major shift in the Eurodac nature has a huge impact on the data subjects whose personal data is processed, including children. People seeking international protection are already in a vulnerable position. They face great challenges to escape from a variety of harmful situations. Asylum seekers are victims of those who take advantage of their desperation.
Refugees in general are running away from countries where they can be potentially and unlawfully treated as criminals for several reasons. They hope to reach an area where they can aspire to have acceptable living conditions and where they can find respect for human dignity, fairness, solidarity and trust. Surely they do not hope to be perceived or treated like criminals as well.
When proposing access by law enforcement authorities (LEA) to Eurodac, the EU legislator was very well aware of the consequences of taking this step forward and the message that it would send to the international community. To mitigate criticism and to facilitate acceptance from the human rights watchdogs, some alleged safeguards were introduced in the legal act, such as the need for prior adequacy, necessity and proportionality assessment of the request for access to data by ‘independent’ verifying authorities. Absurdly, this task was entrusted to other LEA or even to the same law enforcement body, as it is the case of Europol. This clearly prevents an impartial and effective check.
Besides the fact that LEA are granted access to a database of non-suspects for purposes of preventing and investigating serious crime, LEA access comprises specific risks for the rights of the individuals. This is particularly so in light of the possible sharing of information with the countries from which refugees and asylum seekers are escaping, endangering their families and themselves if being returned.
The general prohibition provided by law on that regard might not be an enough guarantee in a framework of increased exchanges of information by LEA within the EU and at international level, including onward transfers. In such a picture, the probability of losing control of such data gets exponentially higher.
In breach of key data protection principles
The Eurodac system is about to change again with the implementation of the Interoperability Regulations. This is not because there is a real need to do so, but rather to fit the interoperability design requirements, notably the common identity repository (CIR).
Currently, Eurodac has very few data apart from the 10 fingerprints of the data subjects. These are more than enough to ascertain a person’s identity to determine which Member State is responsible for examining the asylum application, or to identify an irregularly staying third country national or stateless person.
The identity fraud in this scenario would be equivalent to the False Non-Matching Rate (FNMR) for fingerprints, which according to Commission Implementing Decision (EU) 2019/329 is less than 0,5%. Therefore, such added purpose to justify interoperability would not be achieved in the case of Eurodac.
The 2016 Eurodac recast proposal provided no sound justification or a data protection impact assessment showing the necessity to extend the data processed in the system to facial image and to alphanumerical data. This concern was pointed out by the data protection supervisory authorities altogether in the Eurodac Supervision Coordinated Group (SCG) in a letter addressed to the European Parliament’s LIBE Committee on 21 December 2016.
The interoperability is actually an interconnection among six different systems, each one of them with different purposes. This interconnection will indeed create new centralized databases at EU level, transversal to all systems and fed by them. In order to make this work properly, the systems have to be in the same ‘playing field’, and henceforth there are structural adjustments to be made.
That is why Eurodac will process more personal data, not because there is a proven need of such an amendment to manage the system efficiently. Also, there will be a direct impact on the data storage periods through the envisaged links between data processed in different systems.
From a data protection point of view, the interoperability regulations raise additional serious concerns, as it skips key-principles, such as purpose limitation and data minimization. Refugees will have their data processed side-by-side with convicted criminals and suspects of having committed crimes. In reality, searches through the European Search Portal (ESP) will elude any prior verifications foreseen for the access by law enforcement authorities. Such access is verifiable by national data protection authorities (DPAs) or by courts.
Circumventing prior checks on law enforcement access
The interoperability search capabilities will always return a hit. This will be so even if the data is not immediately displayed. The layered access to data within the interoperability framework has been presented as a positive safeguard for better controlling who can have access to the full information. This is a correct assumption from a data protection perspective, and it is appreciated and encouraged by DPAs as a good practice.
However, a simple ‘hit/no hit’ feature already constitutes information, in particular in a law enforcement context. The interoperable search portal will enable LEA to search Eurodac in an early stage and get immediate knowledge whether there is a hit in the system. This will clearly circumvent the required previous quests to other EU systems and the prior submission to a verification procedure.
In any event, the ESP will blur the objective of a search and the access to the personal data. LEA already have access to the SIS II and the VIS, and they will also have access to EES, ETIAS and ECRIS-TCN.
At the same time, it will boost the statistics while diluting them in relation to each separate system. On the basis of these statistics conclusions could be drawn on the usage level of the system, and the necessity for the data processing, especially in what regards LEA LEA. That foreseeable increase will give support to certain choices and convey the idea of successful ‘solution’, even though it might be only virtual.
LEA Access to Eurodac is provided by Regulation (EU) 603/2013, which is apllicable since 20 July 2015. According to eu-LISA reports on the annual Eurodac Statistics, the number of searches was quite low from 2015 to 2018: 1391.
These figures reinforce the argument that LEA access to Eurodac is not necessary and represents an unjustified imbalance in relation to the rights and freedoms of the refugees. This inequity, or asymmetry following Carrera’s blog in this forum, is even more evident when the children’s age for processing data in Eurodac lowers from 14 to 6 years old, whereas police access becomes easier and less accountable.
A challenge ahead: DPAs supervision
Interoperability will be a serious challenge in general for DPAs. All the difficulties that DPAs experience at present when supervising each of the three already existing EU databases will become much bigger in the near future.
Interoperability sets a web of cross accesses, links among systems, identities and purposes, data controllers, responsibilities and a multiplicity of applicable national laws. Certain aspects are regulated in detail at EU level and imposed top-down; others, however, are more likely to generate visible discrimination as they are left to Member States’ national law discretion. This includes the Interoperability Regulations’ approach to children’s rights, coercive measures or the criminal legal framework, which may ultimately generate different grounds for searching Eurodac data.
The exercise of data subject rights within the interoperability configuration is envisaged as extremely complex. Currently, the model of just one controller responsible for the data processing and for ensuring data access, rectification and deletion has already some identified shortcomings. This is so when the involvement of two Member States is required and in relation to notably delayed responses to the requester.
In the future, whenever a request for access, rectification or deletion of data involves more than one controller (due to the links between EU systems), the procedure will tend to become even longer and more cumbersome. More efforts will be added when the data processed is subject to restrictions of access.
Even the consolidation of cooperation mechanisms among DPAs, which has been enhanced over the years, cannot overcome the difficulties brought by the new legal framework.
Regarding Eurodac, one of the main challenges concerns the right to information of the data subject, enabling the exercise of other fundamental rights. If the information provided when the fingerprints are taken is not adequate in light of the circumstances under which the data is collected, this will compromise the guarantees of data subjects.
The Eurodac SCG already reported on this issue in June 2009 and issued recommendations on how to render effective the right to information. The SCG has just developed, jointly with the EU Fundamental Rights Agency (FRA), a leaflet addressed to national competent authorities to provide guidance on legal compliance and best practices.
It is then of the utmost importance that NGOs are present in the field providing legal assistance and noticing possible data protection infringements. In addition, DPAs need to be more proactive in inspecting the Eurodac data processing, including the lawfulness of access to Eurodac data and further use.
The Interoperability Regulations provide for an enhanced coordinated supervision system comprising the EDPS and national DPAs in the framework of the European Data Protection Board. This may bring a more holistic vision of all the systems and their interaction.
Another challenge for DPAs will be to have the necessary resources to be able to effectively perform their supervisory tasks in this domain, beyond the current priority focus on GDPR market issues.
The fast-track legislative procedure of the Interoperability Regulations in parallel with ongoing amendments to the source EU databases has put at stake the intelligibility of the entire project. Concerns will tend to increase when interoperability becomes operational. It will then show the full extent of its consequences for the fundamental right to data protection.
As the contribution by Quintel in this Forum also shows, interoperability will bring down the few safeguards that Eurodac presently contains, in particular those concerning LEA access. The potential criminalization of international protection applicants will give place to a factual scenario where the personal data of a 6 years-old refugee will be in the same database as a convicted criminal, and it will be searched in the same manner.
The impositions of the interoperability scheme upon the recast Eurodac system are in clear violation of the principle of proportionality: they are not adequate for the purpose; they are not needed; they are excessive. It is absolutely essential to strike the balance, so the rights enshrined in Articles 7 and 8 the EU Charter are effectively guaranteed to refugees.