The ongoing coronavirus pandemic has raised the possibility of widespread surveillance and location tracking for the purpose of disease control, setting alarm bells ringing amongst privacy advocates and civil rights campaigners. However, EU institutions and governments have long been set on the path of more intensive personal data processing for the purpose of migration control, and these developments have in some cases passed almost entirely under the radar of the press and civil society organisations.
This report examines, explains and critiques a number of large-scale EU information systems currently being planned or built that will significantly extend the collection and use of biometric and biographic data taken from visitors to the Schengen area, made up of 26 EU member states as well as Iceland, Liechtenstein, Norway and Switzerland. In particular, it examines new systems being introduced to track, analyse and assess the potential security, immigration or public health risks posed by non-EU citizens who have to apply for either a short-stay visa or a travel authorisation – primarily the #Visa_Information_System (#VIS), which is being upgraded, and the #European_Travel_Information_and_Authorisation_System (#ETIAS), which is currently under construction.
The visa obligation has existed for years. The forthcoming travel authorisation obligation, which will cover citizens of non-EU states who do not require a visa, is new and will massively expand the amount of data the EU holds on non-citizens. It is the EU’s equivalent of the USA’s ESTA, Canada’s eTA and Australia’s ETA.[1] These schemes represent a form of “government permission to travel,” to borrow the words of Edward Hasbrouck,[2] and they rely on the extensive processing of personal data.
Data will be gathered on travellers themselves as well as their families, education, occupation and criminal convictions. Fingerprints and photographs will be taken from all travellers, including from millions of children from the age of six onwards. This data will not just be used to assess an individual’s application, but to feed data mining and profiling algorithms. It will be stored in large-scale databases accessible to hundreds of thousands of individuals working for hundreds of different public authorities.
Much of this data will also be used to feed an enormous new database holding the ‘identity data’ – fingerprints, photographs, names, nationalities and travel document data – of non-EU citizens. This system, the #Common_Identity_Repository (#CIR), is being introduced as part of the EU’s complex ‘interoperability’ initiative and aims to facilitate an increase in police identity checks within the EU. It will only hold the data of non-EU citizens and, with only weak anti-discrimination safeguards in the legislation, raises the risk of further entrenching racial profiling in police work.
The remote monitoring and control of travellers is also being extended through the VIS upgrade and the introduction of ETIAS. Travel companies are already obliged to check, prior to an individual boarding a plane, coach or train, whether they have the visa required to enter the Schengen area. This obligation will be extended to include travel authorisations, with travel companies able to use the central databases of the VIS and ETIAS to verify whether a person’s paperwork is in order or not. When people arrive at the Schengen border, when they are within the Schengen area and long after they leave, their personal data will remain stored in these systems and be available for a multitude of further uses.
These new systems and tools have been presented by EU institutions as necessary to keep EU citizens safe. However, the idea that more personal data gathering will automatically lead to greater security is a highly questionable claim, given that the authorities already have problems dealing with the data they hold now.
Furthermore, a key part of the ‘interoperability’ agenda is the cross-matching and combination of data on tens of millions of people from a host of different databases. Given that the EU’s databases are already-known to be strewn with errors, this massively increases the risks of mistakes in decision making in a policy field – immigration – that already involves a high degree of discretion and which has profound implications for peoples’ lives.
These new systems have been presented by their proponents as almost-inevitable technological developments. This is a misleading idea which masks the political and ethical judgments that lie behind the introduction of any new technology. It would be fairer to say that EU lawmakers have chosen to introduce unproven, experimental technologies – in particular, automated profiling – for use on non-EU citizens, who have no choice in the matter and are likely to face difficulties in exercising their rights.
Finally, the introduction of new databases designed to hold data on tens of millions of non-citizens rests on the idea that our public authorities can be trusted to comply with the rules and will not abuse the new troves of data to which they are being given access. Granting access to more data to more people inevitably increases the risk of individual abuses. Furthermore, the last decade has seen numerous states across the EU turn their back on fundamental rights and democratic standards, with migrants frequently used as scapegoats for society’s ills. In a climate of increased xenophobia and social hostility to foreigners, it is extremely dangerous to assert that intrusive data-gathering will counterbalance a supposed threat posed by non-citizens.
Almost all the legislation governing these systems has now been put in place. What remains is for them to be upgraded or constructed and put into use. Close attention should be paid by lawmakers, journalists, civil society organisations and others to see exactly how this is done. If all non-citizens are to be treated as potential risks and assessed, analysed, monitored and tracked accordingly, it may not be long before citizens come under the same veil of suspicion.
