The European Union’s (“EU”) independent advisory body for data protection, the Article 29 Working Party (“A29WP”), has issued an Opinion in which it raises serious concerns about a proposed Entry Exit System (“EES”) designed to create ‘smart borders’ to regulate third country migrants entering into Europe. 

The proposed EES will govern entry into the Schengen area. The Schengen area is a border-free zone which guarantees free movement within most of the EU. All the EU Member States aside from the UK and Ireland (who have opted-out) and Romania and Bulgaria (who have yet to join, though are obliged to do so) form part of the Schengen area, as do some non-EU states (e.g. Switzerland) and a few microstates (e.g. Vatican City).

The need for reform

According to the A29WP, between 1.8 and 3.9 million migrants remain in the EU following visa expiration.  These figures are approximates and are admittedly unreliable as there is no single database on which to make such an assessment.

The European Commission (the “Commission”) has proposed the EES as a future ‘smart border’ governing entry and exit into the Schengen area. The main objectives of the EES are to:

  • improve the efficiency of border control;
  • combat overstay;
  • provide more accurate data on entry and exit to the EU; and
  • make it easier to return migrants who overstay visas.

Is the EES a suitable solution?

The A29WP accepts that there are problems with the current system, for example, the present method of using stamped documents is inconsistent, unreliable and prone to fraud. In fact, for similar reasons another database called the Visa Information System (“VIS”) is being developed. VIS will regulate migration from third countries which require a visa. The Opinion questions why VIS is not sufficient to remedy the mischief EES is intended to provide for. In addition, there are concerns as to whether EES is a suitable method to tackle the following issues:

  • Efficiency - EES will only provide improvements for migrants whose data is not already stored on existing systems, and details will still have to be entered manually on the migrant’s first entry across the border;
  • Overstays - incorrect data entry or data loss may victimise innocent travellers, and the adoption of a similar system in the US, which also faces the problem of policing large land borders, has been troubled and involved delays, together with high costs and manpower. The A29WP also questions whether the EES is sufficient to address the complex problem of overstay, and it points out that detection alone may not combat the problem;
  • Effective return – the Opinion questions what EES will add to VIS (aside from providing information on third country nationals from states for which no visa is required, and which are generally low-risk for overstays). The Opinion also points out that there are many cases where individuals are refused re-admission to their originating state despite having been identified, and questions the significance of EES in these situations.

Impact on data protection and privacy

Article 8 of the EU Charter guarantees right to protection of personal data, and the A29WP states it is ‘firmly of the view that the added value of the EES… does not meet the threshold of necessity which can justify interference with the rights under Article 8’.

The Opinion questions whether the EES, with predicted initial start-up costs of €183m, plus annual operating expenses of €88m, is suitably cost-efficient, particularly in light of other border systems also in development.  In addition, the Opinion doubts whether the creation of an additional large database of sensitive personal data is justifiable and expresses concern about proposals to automatically allow law enforcement agencies access after a two-year evaluation period.

More specifically, the following data protection concerns are raised:

  • Biometrics - these will be introduced without any evaluation period, something the A29WP disapproves of, as it may be possible to achieve the EES’ objectives without using this technology and collecting biometric data in the process;
  • Retention periods - the A29WP considers a blanket extension of the period for which data will be retained, from six months to five years if an individual overstays, to be disproportionate;
  • Deletion of data – the EES will allow a person to request that their data be deleted if a permanent right to remain is granted. However, the A29WP suggests data subjects should be advised of this right upon receiving the right to remain, and raises concerns of false overstay notices being issued during the period between an application for residency and it being granted;
  • Data transfer to third countries on readmission – the EES proposals currently grant EU Member States considerable discretion in transferring personal data to third countries when trying to return a migrant to his or her country of origin. The A29WP is concerned that this may breach the EU Charter and questions what safeguards will be imposed to ensure Member States respect the rights of individuals; and
  • Definitions – these are inadequate, for example ‘Biometric data’ is defined as fingerprints.

In addition the A29WP is concerned about the lack of specific safeguards in how data is accessed, the risk of discrimination when vetting traveller risk without evidence, and the creation of a biometric database.

WAB Comment:

Border and immigration control is a complicated and difficult issue, both legally and politically. While the A29WP respects the Commission’s aims in proposing a smart EES, it also raises important concerns both from a practical and data protection standpoint. Although its views are not binding on the EU legislative institutions, the A29WP is well respected and its opinions are highly persuasive; given the clearly pressing need to tackle many of the issues identified in the proposed EES, and the increasing protection afforded to data protection by the EU, it would be sensible for EU legislature to address the issues raised in the Opinion.