Deported for reporting a crime: the paradox of securitisation policies

Clash between two EU legislations affecting the rights of undocumented people

In the EU, when undocumented people witness or suffer a crime, they are often reluctant to report it. Why? Fear of detention and deportation. This fear leads to underreporting of crimes and denies migrants access to the protection they need. While EU law is supposed to protect all victims of crime, as foreseen by the EU Victims Rights Directive, undocumented people do not feel included. Instead, “securitisation” policies in many countries treat them as potential security threats, prioritising deportation over ensuring their basic human rights. Consequently, these policies criminalise migrants, denying them their essential right to access justice, and allow many crimes to go unreported, thereby failing to address the “public safety” concerns they are supposed to solve.

At the heart of this issue is the tension between two key EU legislations: the Return Directive and the EU’s data protection framework. This article breaks down the risks of this clash on the fundamental rights of undocumented people, and underscores the importance of guaranteeing “safe reporting” within a recast of the Return Directive, now that seventeen European states have demanded its reform to speed-up deportations. It also lays out five policy recommendations to make sure the fundamental right to personal data protection is upheld in the current legislative framework.

The Return Directive: outdated and dangerous

The Return Directive, introduced in 2008, aims to create consistent rules for returning undocumented people across the EU. While it focuses on detention and deportation procedures, it also impacts the ability of undocumented people to safely report crimes by omission.

Article 6.1 of the Directive requires states to issue a return decision for any undocumented person. This means that once a person’s irregular status is detected, deportation procedures must begin – unless asylum or humanitarian protections apply. It introduces an obligation to deport everyone, rather than a right to do so in some cases. The Directive does not specify that this obligation applies solely to competent immigration authorities. Therefore, it could be interpreted in a way that requires all state officials, including law enforcement, health and other administrative authorities, to take the necessary steps to ensure the issuance of a return decision. This approach poses two main problems.

First, the broad scope of the deportation obligation under Article 6.1 can lead to intrusive tracking methods and reinforce racial profiling practices, whereby people of colour are overly targeted by identity checks because skin colour is structurally used by law enforcement and immigration authorities as a proxy for detecting migration status. It pushes undocumented people further into the margins, into hiding to avoid detection and reinforces a culture of mistrust between migrants and police. It also pushes them away from essential services, such as healthcare, education or justice.

Second, the Directive lacks data protection safeguards. Adopted before the EU’s updated data protection framework, the law doesn’t clarify how authorities can – or can’t – process migrants’ data to begin deportation procedures. As a result, undocumented people who report crimes risk being deported simply because their residence status is revealed.

Attempts to reform the Return Directive since 2018 have ignored these critical issues. In October 2024, the reform resurfaced when seventeen European countries called for stricter EU return rules as part of an intensification of hostile migration policies. Sadly, this proposal still fails to address undocumented peoples’ data protection rights, and criminalises them even further.

The GDPR and the LED: safeguarding the right to data protection for all

The General Data Protection Regulation (GDPR), adopted in 2016, was designed to protect everyone’s personal data in the EU, including that of undocumented people. In parallel, the Law Enforcement Directive (LED), was adopted for the particular cases in which data are processed for law enforcement purposes. Both legislations set out key principles for data protection like purpose limitation, which ensures that personal data collected for one purpose (like going to the doctor) cannot be used for another incompatible one (like deportation). In short, both laws strongly regulate data transfers and repurposing. Consequently, police authorities processing people’s personal data based on crime reports are not allowed to transfer it to immigration authorities without proper justification.

In case of a clash, the Charter of Fundamental Rights must prevail.

The clash occurs when undocumented people report crimes. On one hand, the LED should protect their personal data from being used for migration control purposes. On the other hand, Article 6 of the Return Directive mandates return decision once their irregular status is discovered. This legal uncertainty puts migrants in a dangerous position – forced to choose between reporting a crime and risking deportation, or remaining silent and unsafe. It is also a dilemma for authorities, who have conflicting obligations (notably in terms of protecting victims’ rights and safety).Ultimately, it jeopardises community safety by creating mutual mistrust.

The Charter of Fundamental Rights of the EU gives us the solution to this clash. First of all, the Charter prevails over both legislations, as it is a primary legislation over secondary legislation. Moreover, the GDPR and LED were conceived to give substance to the Charter’s Article 8 which guarantees the fundamental right to personal data protection.

If reporting a crime results in deportation, it not only infringes undocumented people’s data protection rights, it also denies them their rights to non-discrimination (Art. 21 of the Charter) and access to justice (Art. 47 of the Charter). To safeguard these rights, the EU’s data protection framework should prevail, and undocumented people’s data should not be shared with immigration authorities.

National cases: safety or securitisation?

Despite the protection the EU data protection framework is supposed to provide, many EU countries have implemented laws based on the Return Directive that allow this use of data of undocumented people under the guise of public safety. For example, a 1990 German law requires public authorities to report undocumented people who access public services, deterring them from seeking help. This has been denounced many times by EDR member Gesellschaft für Freiheitsrechte.
Yet, contrary to what they claim to do, such policies worsen the securitisation approach – according to which migrants are seen as threats – , rather than offering true safety and protection, and ultimately, make communities less safe:

• No reliable crime data: Without the ability to report crimes, undocumented people go “underground”, making it impossible for authorities to gather accurate crime data. This prevents them from effectively addressing actual public safety issues.
• Criminals are not held accountable for their actions: Criminalising migrants deters them from reporting crimes like human trafficking, labour exploitation, and abuse. This allows traffickers and abusive employers to operate without fear of being caught, while the state focuses on taking punitive action against the victims.
• Neglect of a group in a vulnerable situation: Migrants often face exploitation, violence, and abuse. But instead of protecting individuals in a precarious circumstance, states that prioritise deportation to push them further to the margins, denying them the protection they need.

Same legislative framework, different practices

As pointed out by Platform for International Cooperation on Undocumented Migrants (PICUM ) in a report sent to the UN Office of the High Commissioner for Human Rights, some countries have adopted policies that strike a better balance between safety and protection. In the Netherlands, the “Free in, Free out” policy allows undocumented people to report crimes at police stations without fear of immigration enforcement. While this is a step in the right direction, it lacks accompanying support services, which limits its impact.

Spain has taken another approach. The Guardia Civil’s Immigration Attention Teams (EDATI) assist undocumented people by informing them of their rights and helping them report crimes. Crucially, EDATI teams are not authorised to detain or deport migrants, giving them the confidence to seek help.

Finally, as the SafeReporting project has shown, there are also some locally-led measures, such as those adopted in the city of Barcelona (PDF), that involve cooperation between the community, NGOs and law enforcement. These can be also models of alternative, temporal solutions in terms of safety and crime prosecution until state-wide legal firewalls are implemented.

What needs to be addressed? People’s rights vs migration control

The focus on immigration enforcement over human rights leaves undocumented people vulnerable to exploitation, fear and silence. Criminalising migration also overshadows the need to protect fundamental rights and to ensure everyone’s safety.

Seeing how different countries interpret the current framework differently, and the member states’ tendency towards securitisation – as seen recently in Germany, Netherlands or Italy -,the legislator has the power (and obligation!) to make European law clear, foreseeable and in accordance with the Charter.

This is why the text of a new Return Directive should establish safeguards for the personal data of undocumented people reporting a crime against themselves or against a third party. It must state clearly that, in compliance with the GDPR, the LED and the Charter’s purpose and safeguards, the data obtained for the purposes of crime-reporting cannot be used to start return procedures. Therefore, the recast of the Directive should make it mandatory for member states to create legal firewalls to ensure safe reporting.

To uphold the protection of the other rights involved, i.e. access to justice and equality, it should also guarantee that any unlawful data processing in return decisions are subject to appeal with judicial oversight, and with suspensive effect. This is necessary to prevent the irreversible harm of a deportation, as the European Court of Human Rights case law has already pointed out for cases when there is risk of breaching the principle of non-refoulement.

Within the current legislative framework, the EU and its member states can still address safe reporting by ensuring the following practices:

1. Create firewalls between law enforcement and migration authorities: There should be a clear separation between data collected for crime-reporting and data shared with immigration authorities. This “firewall” would allow migrants to report crimes without fearing deportation. More importantly, this would build trust between migrant communities and law enforcement while still allowing migration authorities to enforce the Return Directive in cases where appropriate and lawful.
2. Strengthen purpose limitation rules: The EU and its member states must ensure that the purpose limitation rules of the EU data protection framework are explicitly applied in migration cases. Data of people reporting crimes should not be repurposed for deportation.
3. Enhance judicial safeguards: The law must guarantee that any data protection interference in return decisions are subject to judicial oversight, including the right to appeal before a judge, and with suspensive effect, to prevent the irreversible harm of a deportation.
4. Raise awareness and train officials: Law enforcement and migration authorities need training on data protection regulations to ensure they handle migrants’ data responsibly and according to the EU’s data protection framework.
5. Community-led mechanisms: Confidential and anonymous reporting mechanisms should also be established  – such as hotlines, or secure websites – to encourage victims to seek help.

Privacy and safety of migrants should be at the forefront of policy: building firewalls, enforcing the LED, and protecting the members of society in the most vulnerable situations isn’t just the right thing to do – it’s essential to maintaining justice and trust within the EU. People, regardless of their administrative status, have the right to report crimes without risking deportation. Let’s make sure the law works for them, not against them.