Part-Time Professor, Migration Policy Centre (MPC), EUI
The EU Interoperability Regulations aim at enlarging and ‘breaking the silos’ to access digital data held in various EU migration, asylum and security databases by national law enforcement (police) authorities and EU agencies such as Frontex and eu-LISA. This contribution argues that the inherent expansionistic and centralising policy logic to digital data by security actors and professionals has not been accompanied by an equal playing field of ‘access rights’ by EU Digital Citizens, who under EU privacy law include indistinctly EU citizens, third country nationals, asylum seekers and refuges. This results in an asymmetry in access rights and equal treatment among individuals.
Data ownership and access asymmetry
The Interoperability Regulations have been founded on the need to expand access by national and EU authorities policing migration to all existing EU databases covering purposes as diverse as migration, asylum, borders and crime/terrorism. These include, by now, the Schengen Information System II (SIS), the Visa Information System (VIS), Eurodac, the European Criminal Records Information System for Third-Country Nationals (ECRIS-TCN), the Entry/Exit System (EES) and the European Travel Information and Authorisation System (ETIAS).
The main officially stated rationale has been to break operational and technical ‘silos’ between different EU databases, which were criticized for ‘not talking to each other’ or being ‘compartmentalised’. While access by national police authorities to these databases – including Eurodac – had been already controversially allowed in previous EU legislation, the Interoperability Regulations take accessibility by policing actors and EU agencies to the next level. They unequivocally expand the instances where security professionals responsible for investigating, detecting and/or prosecuting serious crime or terrorism can have access and make use of refugees, asylum seekers, and migrants’ data.
Perhaps the most illustrative example of such an expansionist policing access is the fact that interoperability will unlock the previously restricted access to EU databases such as Eurodac, VIS, EES and ETIAS for police checks purposes inside the Schengen territory. With the establishment of the internal border control-free Schengen area, national police and border authorities had lost access to this data, as they have been only allowed to carry out spot checks of a non-systematic nature and not amounting to border controls. For purposes of checking a person’s identity, interoperability will mean that these national authorities will become new ‘end users’ of these EU databases.
Frontex (European Border and Coast Guard, EBCG) Agency is another ‘winner’ of interoperability. Before Frontex did not have access to the VIS, Eurodac and ECRIS-TCN. The new Regulations expand its access to all EU information systems for statistical data and risk assessment purposes, and by EBCG Support Teams providing operational support to Member States. Another ‘winner’ is Eu-LISA, which has been placed in the driving seat of Interoperability, even before the Regulation were formally adopted. While its tasks are dressed as purely ‘technical’ or managerial, eu-LISA has far-reaching competences including data processing, operational and ‘research’ tasks and supervising data quality in the EU interoperable databases.
The Task Force discussions revealed that this ‘access expansionism’ has not come along equal access rights by individuals who are the legitimate right owners of their data. It is at unclear the justice venues and instruments available to third country nationals and asylum seekers in cases where EU databases may contain inaccurate or wrong data, as shown by EU FRA research, leading to wrong decisions.
The contribution by Smith and Levoy in this Forum highlights that their insecurity of residence and fear of expulsion can be expected to increase barriers to effective remedies in comparison to nationals. It is also unclear the applicable legal protection frameworks that will apply to each them, and the adequacy of existing effective remedies and complaint mechanisms in cases of rights violations. In short, the centralising logic driving interoperability comes along a fragmenting logic of justice for individuals.
Interoperability assumes that law enforcement and border authorities have ‘access rights’ to information stored in EU databases. The language of ‘rights’ by authorities is misleading. It disregards that the only legally recognised ‘right’ and ownership over this data primarily belongs to individuals, irrespective of migration status. Interoperability wrongly assumes that people can be legitimately dis-owned of their data. An assumption that is directly contrary to current EU privacy and data protection legal standards, which proclaim that every person under EU jurisdiction qualify as EU Digital Citizens.
Another point of discussion during the Task Force related to the whether interoperability implies a risk of discriminating certain groups in society, in particular those of non-national origin. Several participants pointed out that interconnected EU databases for policing purposes will inevitably lead to the increasing stigmatization effects on prohibited grounds such as ethnic or racial origin. Widening access by law enforcement authorities opens up a huge temptation to overuse and misuse these databases.
Interoperability will result in a new set of new EU databases – a European Search Portal (ESP), a Common Identity Repository (CIR) and a Biometric Matching Service (BMS). These have been designed to create new ‘links’ between existing data systems and construct new electronic identity profiles of ‘undesirable individuals’ in the EU. The act of mobility across borders and inside the Schengen territory, and those individuals having different identities, will be by design framed as risk indicator or suspect of quasi-criminal activity.
The Task Force conversations pointed out that the fact that some individuals may have different legal identities should not be per se a ground of suspicion. There are cases where multiple identifies are in fact justified and legitimate, including for example persons holding dual nationality or those with transitioning migration and asylum administrative statuses. As the contribution by Groenendijk to this Blog Forum points out, the data of EU citizens holding a double nationality will be also included in the ECRIS-TCN database, which brings certain EU citizens under the radar.
Some people moving inside Schengen will risk being exposed to more ‘identity checks’ as well. This may be the case of mobile EU citizens with migrant origin or racial background. Moreover, the current EU policy priority to prevent and criminalise ‘secondary movements’ disregards that onward movements by asylum seekers may be legitimate and non-voluntary. Factors lawfully justifying legitimate moving onward may include for instance degrading reception and living conditions, including cases of destitution and extreme poverty, the lack of life opportunities, or cases of institutionalized discrimination and xenophobia in EU Member States’ governments.
Towards Interoperable Justice
The Task Force brought to the fore the need to address the asymmetry in access rights by Digital Citizens. A key policy priority should be to devise and develop an interoperable justice paradigm. EU policy making should keep at its centre the privacy rights of EU Digital Citizens as the legitimate owners of their own data.
The starting point should be breaking the ‘justice silos’ and data protection fragmentation resulting from existing EU databases and their future interoperable faces. Investments should be put in enhancing the key role and functions of National Data Protection Authorities (NDPAs) which, as Groenendijk and Guerra’s Blogs underline, are often understaffed and over-burdened to effectively comply with current and future supervision needs. The development of effective and independent complaint mechanisms for affected individuals should constitute another priority, including before eu-LISA agency whose mandate should be revised to ensure higher legal, democratic and judicial accountability.
In line with the rule of law approach outlined in Mitsilegas Forum contribution, the operationalisation and implementation phases of the Interoperability Regulations must be subject to detailed democratic monitoring by the European Parliament, and the financial control by the European Court of Auditors (ECA). This monitoring should focus on the proportionality and legitimacy of any previously unforeseen functionalities and financial costs during its roll out, to avoid past mistakes in the implementation of EU databases such as the SIS II.
Closer attention should be paid to the scope and implications of consecutive amendments in the founding regulations of existing EU databases, some of which are currently being renegotiated. The EU should set up a permanent monitoring system of EU Member States’ police checks to prevent systematic identity checks amounting to border controls inside the Schengen area.