Blogs | EDRi-gram | Privacy and data protection | Biometrics | Cross border access to data | Data protection standards | Surveillance and data retention

Eurodac database repurposed to surveil migrants

Eurodac is the EU database used to store asylum seekers’ and refugees’ data, as well as certain categories of “irregular” migrants. By the end of 2019, the EU stored almost 6 million peoples’ fingerprint sets in the database. Research show how legislative developments transform the Eurodac database into “a powerful tool for mass surveillance”, endangering migrants' fundamental human rights.

By EDRi · March 10, 2021

Designed by: Soulful Pizza /Pexels

On 24 January, the European Council for Refugees and Exiles published a paper by Dr Niovi Vavoula titled “Transforming Eurodac from 2016 to the New Pact. From the Dublin System’s Sidekick to a Database in Support of EU Policies on Asylum, Resettlement and Irregular Migration”. This blogpost summarises its main findings. 

In September 2020, the European Commission released a batch of legislative proposals pitched as “a New Pact on Migration and Asylum”. The Pact is meant to offer “a fresh start” to the European Union’s (EU) migration policies after the political deadlock since the attempted reform of the Common European Asylum System (CEAS) in 2016. The EU previously tried to fix the broken rules guiding the reception, distribution and processing of asylum requests (so-called “Dublin system”), but several Member States refused to take more responsibilities, halting the negotiations with the European Parliament. 

In the Pact on Migration and Asylum, a reform of the Regulation establishing Eurodac (which stands for European Dactyloscopy) is set forth to build upon the 2016 recast Eurodac proposal. Eurodac is the EU database used to store asylum seekers’ and refugees’ data, as well as certain categories of “irregular” migrants. By the end of 2019, the EU stored almost 6 million peoples’ fingerprint sets in the database. On 24 January, the European Council for Refugees and Exiles published a paper explaining the legislative developments transforming the Eurodac database into “a powerful tool for mass surveillance”. It also examines their expected impact on migrants and their fundamental rights.

What was Eurodac originally for?

The Eurodac database was introduced in 2003 alongside the Dublin Regulation to support the application of its allocation mechanism by identifying which Member State was responsible for examining a person’s asylum claim (usually the Member State of entry). Eurodac checks allow national authorities to verify if the fingerprints of an asylum-seeker or an “irregular border crosser” have already been recorded in another EU Member State. If that is the case, this Member State can be obliged to take back the person and to process their asylum application. The information stored at the time was limited to: a set of fingerprints, gender, the date of registration and the Member State of origin. Nonetheless, it functioned as a “quasi-identification tool” because authorities were authorised to exchange more personal information about the person and cross-check their Eurodac fingerprints against national databases in order to identify them. 

The 2016 recast

The 2016 recast of the Regulation definitely turned the database into a “multi-purpose” instrument serving EU policies on asylum, resettlement and irregular migration. First, the EU significantly expanded the database in terms of scope, adding many new categories of data (name, nationality, place and date of birth, information on travel and identity document, etc.) and of persons. For example, “irregularly present migrants” (e.g. people who are neither asylum-seeker nor “irregular border crosser” as they are already in Member States that are not situated at the EU periphery) and people in third countries eligible for admission on humanitarian grounds (e.g. in camps in Turkey) were added as a target to assist with the “control of illegal immigration” and of “secondary movements within the Union”. In addition, the age threshold for children was dramatically reduced to the age of six and the data retention period was significantly increased (for “irregular migrants” from 18 months to 5 years). All of this contributes to the mass surveillance of migrants, regardless of their status.

Furthermore, the 2016 recast introduced the requirement to add facial images during the data collection process which further intensifies the criminalisation of migrants. Whereas the European Commission first saw the addition of facial recognition as a “nice-to-have” measure to ensure accurate matches at the comparison stage, the Council later removed the safeguards related to its use and made it mandatory to apply administrative sanctions against migrants who refuse to have their biometric data captured, including the use of coercive means (detention, etc.). 

Lastly, while the database was already accessible by law enforcement officers and Europol, the European Agency for police cooperation, for the “purposes of preventing, detecting or investigating terrorist offences and serious crimes”, the 2016 recast reinforced the trend as “every safeguard was called into question” by the Member States who found that the procedure for access was too “complex, cumbersome, time- and human resource consuming”. 

The ECRE paper stresses multiple challenges to fundamental rights posed by the reform:  

  • The widening of the scope (e.g. in terms of data categories and categories of migrants) and purposes (from solely enforcing the Dublin rules to “controlling illegal immigration and secondary movements”) puts under pressure on the principle of purpose limitation.
  • The new measures do not meet the necessity and proportionality test, notably for the capture of facial images when it actually leads to deeper surveillance of migrants and restrictions on the right to privacy. In that regard, the Commission did not even bother to provide an impact assessment. It is greatly worrying that despite the fact that “migrants refused to undergo the fingerprinting process in an attempt to bypass the Dublin rules or due to fear that their personal data would be misused”, the legitimacy of the whole system was not put into question by the Commission. Instead, the concerns of people on the move have been used as an excuse to justify the collection of even more biometric data and the use of facial recognition ;
  • The European Council gave no proof to justify the removal of safeguards for law enforcement access. This further reinforces the equation of all third-country nationals (whether they are entitled to international protection or not) as security threats. 
  • The right to information on available remedies has been improved but “(…) practice shows that the rights to access, rectification and deletion of Eurodac records are rarely exercised”.

Political opportunism: the 2020 proposal

As the previous reform package failed to pass the political negotiations, the Commission was given a window of opportunity to introduce new elements to the latest version of the Eurodac Regulation.

A major change is the automatic linking of all Eurodac records about each third-country national in a sequence. The aim is then to produce statistics about movements to and in Europe. In addition, the statistics would also be drawn from the Entry/Exit System (EES), the European Travel Information and Authorisation System (ETIAS) and the Visa Information System (VIS) – all other EU databases storing migrants’ data depending on visa requirements. It means that statistical information on how individuals seek legal ways to access EU territory (sometimes via a short-term visa) can be used by authorities to hamper their arrival and prevent them from lodging an asylum claim, thus infringing on the right to seek asylum. 

New categories of data are also added to the list of stored information. Most worrying is the addition of a “security flag” during the screening process (when personal data is being collected) whereby authorities carry out a security check against EU and national databases, can mark that a certain individual is deemed to be a security risk and thus, provide a rejection ground against a claim for international protection. However, an ECRE report explains that this judgment usually does not rely on accurate, verifiable data and that “any irregularities, arbitrariness and strictness in the security assessment of individuals is bound to have a long-lasting impact on those persons”. Lastly, changes are made to the interoperability requirement of Eurodac with VIS and ETIAS, which is problematic because “Eurodac absorbs the objectives of those information systems”. 

Currently, the proposal is being examined by the two co-legislators, the Parliament and the Council. ECRE notes that scrutiny of this file is particularly difficult as the 2020 proposal builds on the agreement reached on the 2016 text, a document that is not publicly available. EDRi and its members will continue to monitor the process and denounce the violations of the fundamental rights of migrants. 

(Contribution by:)

Chloé Berthélémy

Policy Advisor

Twitter: @ChloBemy