Interoperability of European Centralised Databases: Another Nail in the Coffin of Third-Country Nationals’ Privacy?
Since the past few decades, legal scholars and practitioners have been progressively acquainted with a series of abbreviations: SIS II, VIS, Eurodac, EES, ETIAS, ECRIS-TCN and the concept of interoperability has arisen prominently in the EU agenda. Behind the abbreviations lies an elaborated and complex legal framework of Europe-wide databases, whereby millions of personal data collected by different groups of third-country nationals are stored and further processed for a variety of purposes. For the sake of convenience and to inform the subsequent analysis, find here a table summarizing the key characteristics of each system.
This table is illustrative of the different logics and objectives underpinning each database, but also of an array of common characteristics.
- First, their scope ratione personae is primarily different categories of third-country nationals, with EU citizens personal data only processed in an incremental manner (by the law enforcement branch of the SIS II; by the VIS, as regards sponsors or family members of visa applicants, or in the future ECRIS-TCN in relation to dual nationals);
- Second, those databases process a wide range of personal data, including biometrics (photographs and fingerprints, except for the ETIAS), which constitute a special category of personal data under Article 9 of the General Data Protection Regulation;
- Third, law enforcement authorities and Europol are allowed to have access to the records, either under specific conditions (VIS, Eurodac, EES, ETIAS) or because of the law enforcement (security) mandate (SIS II and ECRIS-TCN);
- Fourth, personal data are retained for a significant period of time;
- Fifth, databases are multi-purpose, dynamic and flexible in nature, as evidenced by the increasing objectives attached to each system. These purposes range from modernising immigration control to (disturbingly) law enforcement, thus blurring the boundaries between immigration and criminal law.
Crucially, databases are compartmentalised; even though in the future all third-country nationals will be effectively captured by at least one database, the data pots are separate from each other. This will soon change; the final step towards an EU ‘Big Brother’ is the interconnection of the different ‘data pots’ under the umbrella term of interoperability. Against this background, this blog post aims at critically evaluating this important legal development from a privacy and data protection standpoint.
2.Compartmentalisation Is Dead: Long Live Interoperability
The story behind the emergence of interoperability has been discussed in detail elsewhere. For the purposes of the present post, it suffices to recall that the interoperability debates first started in the aftermath of 9/11. Then, in its 2005 Communication, the Commission defined interoperability as the ‘ability of IT systems and of the business processes they support to exchange data and to enable the sharing of information and knowledge’. Details on the legal aspect of interoperability were spared, as the concept was reduced to a technical matter. Since the Paris attacks of November 13, 2015, the connection of the ‘data jars’ has gained fresh impetus. A High Level Expert Group on Information Systems and Interoperability was set up and gave the green light for implementing this initiative. In the meantime, interoperability was already foreseen in the proposals for the EES, recast Eurodac (still under negotiations) and ETIAS, thus pre-empting its insertion through the back door without an assessment on its necessity. Following speedy and rather limited negotiations, Regulations (EU) 2019/817 and 2019/818 were published in the Official Journal on the 22nd May 2019.
Interoperability is understood as information systems ‘speaking to each other’ and as an evolutionary tool that will enable further uses through the aggregation of data from different sources. Its four main components are:
- The ESP (European Search Portal) will enable competent authorities to simultaneous query the underlying systems and the combined results will be displayed on one single screen. Even though the screen will indicate in which databases the information is held, access rights will remain unaltered and will proceed following the rules of each database.
- The Biometric Matching Service (BMS) will generate and store templates from all biometric data recorded in the underlying systems, thus effectively becoming a new database that compiles biometrics from the SIS II, VIS, Eurodac, EES and ECRIS-TCN and that will replace separate searches in the other databases.
- The Common identity repository (CIR) at the core of interoperability which will store an individual file for each person registered in the systems, containing both biometric and biographical data as well as a reference indicating the system from which the data were retrieved. CIR’s main objectives are to facilitate identity checks of third-country nationals, assist in the detection of individuals with multiple identities and streamline law enforcement access. With respect to law enforcement, a two-step process is foreseen whereby law enforcement authorities will first consult all databases to check whether records on an individual exist in any of the databases without obtaining prior authorisation by a verifying authority. In the event of a ‘hit,” the second step is to obtain access to each individual system that contains the matching data through the procedure prescribed in the legal basis of each database.
- Finally, the Multiple Identity Detector (MID) will use the alphanumeric data stored in the CIR and the SIS II to detect multiple identities; it will create links between identical data to indicate whether the individual is lawfully registered in more than one systems or whether identity fraud is suspected.
3.From a ‘Panopticon’ to a ‘Pangnosticon’ in Violation of Privacy?
With interoperability as the ‘cherry on top’ of a multi-layered cake of databases, the landscape of information processing through centralised databases will be forever changed. Whereas interoperability will not frustrate existing limits on access rights of national authorities, the use of personal data will be attached to new purposes, which are not to be found in the respective legal instruments. For instance, Eurodac data will be used to detect persons with multiple identities even though Eurodac’s mandate does not specify such use. Furthermore, a particularly worrisome change involves Article 20 of the Regulations on interoperability, according to which a Member State police authority is authorised to query the CIR with the biometric data of a person taken during an identity check for the sole purpose of identifying that person. This function of the CIR was not supported by the existing legal framework and the addition of specific circumstances under which police authorities are authorised for identification checks in the adopted text does not compensate for the lack of clarity. The proposals stipulated that under Article 20 the identification of the person must contribute to preventing and combating irregular migration or contributing to a high level of security. As the EDPS has correctly pointed out these objectives are unduly vague and do not explain whether these police checks will take place under immigration control or law enforcement procedures. Identity checks by police authorities may fuel discriminatory practices which may proceed to identification checks to third-country nationals on the spot solely on the basis of extensive profiling, rendering their status on the territory particularly precarious.
In reality, interoperability negates the relevance of the purpose limitation principle by essentially enabling databases to be used for almost any purpose as long as this is not incompatible with the original purpose for which the data have been originally collected. The multiple reconfigurations of the systems over time denote that the threshold for such ‘incompatibility’ is unreachable and the limits of these systems are far from being reached. The fact that the CIR will include both personal data collected and further processed for traditional law enforcement purposes (ECRIS-TCN) and personal data of immigration nature that will be used for the identification of individuals in multiple fora is probably the deathblow for the purpose limitation principle and privacy as the key value behind data protection law. Interoperability should not be seen as a way of altering the nature and purposes of existing databases, in other words interoperability should not become the end in itself. Compartmentalisation, which was heralded as a way of ensuring the protection of privacy and personal data protection, has become a problematic feature, allowing for ‘blind spots’ that hinder the work of national authorities. This logic does not correspond to the traditional understanding of migration control, but rather exemplifies and validates a growing understanding of databases for third-country nationals as ‘security systems’ and interoperability essentially reconceptualises all centralised databases as quasi-intelligence tools.
Perhaps the elephant in the room as regards the operationalisation of interoperability involves the masked setting up of new databases —the BMS, the CIR and the MID- based on combining data from different sources (albeit the latter will not hold personal data). The fancy wording that is used (‘component’ and ‘repository’) should not distract from the dangerous reality of massive catalogues of third-country nationals at EU level who are either administratively or criminally linked to the EU over a significant period of time. The aggregation of data through databases signifies a new information-processing paradigm of mass and indiscriminate surveillance. By combining information from different systems, authorities are empowered to draw more precise conclusions on the private lives of individuals, and data subjects will be unable to foresee how their collected information will be used. As Bunyan has noted, it is not far-fetched to characterise interoperability as a decisive step towards a single EU information system at the service of an EU Big Brother.
One could argue that the BMS does not process personal data as it merely stored templates of biometrics. Whilst this is an area that merits further attention, it has also been convincingly argued that templates constitute personal data. Importantly, the case of the CIR in particular reminds Foucault’s ‘panopticon’, whereby domestic authorities shall be able to see all different groups of third-country nationals through a digital catalogue for foreign population with an administrative or criminal law link to the EU. Repetitive references in EU documents to ‘blind spots’ that need to be covered so that everyone could be seen fits well with the analogy. Moving beyond, it is hereby argued that interoperability will enable domestic authorities to know third-country nationals better, by assembling records from the different systems and combine the different personal data to create richer profiles regarding their movement and administrative or criminal procedures that they have undergone. The ‘pan-opticon’ (coming from the ancient Greek ‘πάν’ (all) + ‘οπτικόν’ (of sight)) is thus progressively replaced by the ‘pan-gnosticon’ (‘πάν’ (all) + ‘γνωστικόν’ (of knowledge), an emerging know-it-all surveillance system, whereby authorities would be able to achieve total awareness of the identities of the individuals, with the ultimate aim of preventing, deterring, controlling, or in more neutral words ‘managing’ people.
In a series of judgments, the EU Court of Justice has placed important limits to Member States’ surveillance powers. In Opinion 1/15, concerning the transfer of PNR data from the EU to Canada, the Grand Chamber found that such transfer would not amount to a system of unlawful generalised surveillance, given that the personal scope involved merely those travellers from the EU to Canada. Conversely, in Digital Rights Ireland and Tele2, the Grand Chamber was adamant in proscribing mass surveillance, since it involved ‘practically the entire EU population’. It is hereby argued that whilst each database on its own may not qualify as establishing generalised and indiscriminate surveillance of movement following Opinion 1/15 because it involves only a fraction of third-country nationals, the CIR as a new database combining materials from the underlying systems ticks all the boxes to be considered as unlawful mass surveillance of movement.
Another key change brought about by interoperability involves law enforcement access to third-country nationals’ data. Access is currently subject to tailored conditions of access and verification by a verifying authority. In Digital Rights Ireland and Tele2, the CJEU made clear that such access should be subject to strict conditions and prior verification that those conditions have been met by a verifying authority, either a judicial or independent administrative one. Interoperability will not only retain the problematic modalities of access to the respective systems (for example see my chapter in this volume), but will further progressively lead to routine access. As noted by the EDPS, a ‘hit’ is significant since it reveals elements of an individual’s personal life, for instance that they are visa free travellers or asylum seekers, and, therefore, this first step of checking whether there is personal data in any of the underlying systems should also take place after fulfilling the specific conditions of access prescribed in the legal basis of each database. Importantly, it is hard to believe that upon finding that a database holds information on a person, the verifying authority ensuring the conditions for access have been met will not allow such access. In other words, not only the independence and objectivity, but also the very existence of a verifying authority may be biased by the two-step approach. Arguably, this new function may enable national authorities to engage in ‘fishing expeditions’. Therefore, more prosecutions and/or convictions of third-country nationals may take place, merely because a pool of information exists, since no equivalent EU-wide catalogue of records on EU citizens exists. This may further sustain a divide between the EU citizens and the foreigner and raise serious non-discrimination concerns.
In addition, the operationalisation of interoperability raises further concerns as regards individual rights (rights of information as regards the processing of the personal data, right of access, rectification and deletion). In view of the processing of personal data in a multiplicity of context, the right to information may be all the more difficult to be exercised. Finally, as Evelien Brouwer eloquently points out in her contribution to the blog, it must be recalled that the personal data stored have been long suffering in terms of quality, including fingerprints. However, if the personal data stored are not of sufficient quality, any aggregation of this data through interoperability may have lead to incorrect processing, with significant repercussions for non-EU nationals, particularly in the case of the MID.
First, interoperability is much more than a buzz word and a panacea for security and migration concerns; it has become the ‘Trojan Horse’ towards the silent disappearance of the boundaries between law enforcement and immigration control and the radical intensification of surveillance of all mobile non-EU nationals. With that step completed, it will not come as a surprise if PNR data or even national identity cards or passports of EU nationals will also make their way into interoperable centralised databases, so as to ‘rectify’ the imbalance between the treatment of third-country nationals and EU citizens in terms of surveillance of movement through personal data processing. Secondly, interoperability is the latest nail in the coffin of third-country nationals’ privacy; databases have progressively proliferated and their functions expanded without having been litigated in terms of fundamental rights compliance before the European Courts. In an era where strategic litigation seems to be the way forward, is it possible for centralised databases to find their way into courts, or will we have to wait until data surveillance hits our own door?