Travel surveillance in the EU
The EU is introducing a series of surveillance measures involving intensive data-gathering and data-sharing practices to come into use in 2022. These measures will see a drastic increase in the quantity and granularity of data collected on travellers, in circumstances where authorities already struggle with the amount of data they have. This explainer, based on a publication by Statewatch, aims to elucidate these new measures and their consequences.
- Novel EU travel surveillance measures will capture tourists and business travellers from some 165 countries, potentially affecting billions
- The measures include profiling tools, the development of biometric databases and the deployment of a new watchlist managed by Europol
- The exercise of data rights by travellers is likely to be made even more difficult and complex in light of overlapping legal frameworks
In the name of reinforcing migration control and increasing security, the EU is introducing a host of new surveillance measures aimed at short-term visitors to the Schengen area. New tools and technologies being introduced as part of the visa application process and the incoming “travel authorisation” requirement include automated profiling systems, a ‘pre-crime’ watchlist, and the automated cross-checking of numerous national, European and international databases. There are significant risks for privacy, data protection and other rights, as explained in Automated suspicion, a report published by Statewatch. This explainer sets out the key points from the report.
Political crises and technological advancement have accelerated surveillance in the migration sphere
Since the early 2000s the EU’s migration policies have foreseen the systematic gathering of personal data, including sensitive personal data such as biometrics, on all categories of people on the move - from refugees to business travellers. However, it is only in the last five years or so that these plans have truly begun to come to fruition. Renewed impetus has come from the political crises sparked by terrorist attacks and the large-scale arrival of refugees, as well as technological developments that make the establishment and interconnection of large-scale databases easier than ever before.
Much has been written about the EU’s attempts to ensure the tracking and surveillance of asylum-seekers and refugees – for example, through the EU-wide database Eurodac, which holds the fingerprints of all registered asylum-seekers in the EU, or the surveillance system Eurosur, which is intended to provide an ‘early warning system’ of people moving towards the EU’s external borders. Less attention has been given to ‘regular’ travellers, such as holiday-makers or people travelling for business. However, this group of people are due to be subjected to a host of new privacy-intrusive measures.
Tourists and business travellers are also fair game
There are two categories of people who will be subjected to the EU’s new travel surveillance initiatives – those who have to apply for a short-stay visa to visit the Schengen area, and those who are exempt from the visa requirement but in the near future will have to apply for a “travel authorisation” for a short-stay visit (this allows an individual to spend 90 days in a 180-day period within the Schengen area).
The former group of people is made up of the citizens of 105 countries across the world: a total population of some five billion people. The latter group consists of some 1.4 billion citizens of around 60 countries. While visa-exempt individuals are currently able to travel to the Schengen area for a short stay provided they meet the entry requirements, the introduction of the travel authorisation requirement – which mirrors the USA’s ESTA, Canada’s eTA and Australia’s ETA – will place new restrictions on a group of people who previously were able to travel relatively freely to the Schengen area. As of 1 January 2021, this group will also include UK citizens.
How does it work?
More data-gathering, automated database checks
An expanded set of personal data will be gathered from all would-be travellers. Names, addresses, travel document details and biometric data (fingerprints and photographs) will be taken and stored in centralised databases, alongside data on travellers’ families, education, occupation and criminal convictions, and more. Once an individual has completed their visa or travel authorisation application, it will be registered in the respective EU databases and a swathe of different data processing operations will begin.
Under the EU’s ‘interoperability’ initiative, a variety of different databases and information systems are being interconnected to allow the swifter, simpler comparison and exchange of personal data. In the visa and travel authorisation application procedure, this will allow the cross-checking of application data against EU databases on asylum, policing, border control, criminal records; Interpol databases on travel documents registered as lost, stolen, or of interest to the authorities; and various national databases.
Profiling of all travellers
Automated profiling systems are also being introduced, with the aim of identifying whether an individual and their application merits further attention from the authorities. Data mining tools will comb through previous applications, statistics on overstay and refusal of entry, information from national authorities on security risks, and epidemic disease risks identified by global health bodies, in order to generate “screening rules”.
These will then be used to identify individuals previously unknown to the authorities, but deemed to be of interest for migration, security or public health reasons, due to them displaying particular category traits – referred to in the EU lexicon as “risk indicators”. These indicators will include age range, nationality, country and city of residence, destination, purpose of travel and occupation – thus, all people living in a particular city of a particular age group may come in for further scrutiny from the authorities not because of anything particular they may have done, but simply because they match certain indicators. The precise details of these indicators have not yet been agreed; they will be set out in an ‘implementing act’ due to be adopted by the European Commission.
A new ‘watchlist’
A further novelty comes in the shape of a ‘watchlist’ to be operated by Europol, the EU’s policing agency. On the one hand, this will include data on individuals who are suspected of having committed or taken part in terrorist or other serious criminal offences. On the other, it will include people who it is believed may commit such offences in the future. Both Europol and EU member state authorities will be able to enter information into this new watchlist. The authority that enters the data is responsible for ensuring it is “adequate, accurate and important enough to be included,” and there is an obligation for a yearly review of the data included in the list.
This rather nebulous new databank clearly contains significant possibilities for deliberate abuse or just simple error. Individuals’ data protection rights – for example for access, correction or deletion of their data – are all set out on paper, but in practice they may be extremely difficult to exercise, given the number of different national and EU legal regimes that will apply to data held on the list. More fundamentally, no EU institution has ever publicly explained why the watchlist is necessary and how it will relate to other existing EU systems, in which it is already possible to include the ‘potential criminals’ that authorities believe may commit offences in the future.
Once an individual’s visa or travel authorisation application has been processed – that is, they have been cross-checked, profiled, screened against the watchlist and potentially invited to provide further documents, information, or invited to an interview to support their application – a decision will be made on their application.
Travel companies as border guards
Assuming their application is successful, the next stage of their journey will likely be to get on a plane or bus. When the EU’s new travel surveillance regime comes into force, “carriers” (generally plane and coach companies) will be given access to the visa and travel authorisation systems’ central databases to verify whether passengers have a valid visa or travel authorisation or not. While carriers will not be able to see any of the data held in the systems, these new rules will reinforce their role as outsourced border guards.
Any company found to be carrying an individual without the correct paperwork can be fined or even have their operating licences withheld. For the individual, refusal of passage will undoubtedly have a financial impact – such as wasted travel tickets – but may have far more serious, unquantifiable costs, such as inability to see a loved one or, in the most serious cases, inability to find a place of refuge.
Once an individual arrives at the border – whether that be in France, Spain, Sweden, Poland or any other Schengen state – their personal data will begin another journey around the EU’s digital circuits of security. Another round of cross-checks will take place against the same set of databases as in the application procedure, and more traditional methods of enquiry can also be used.
For example, border guards are supposed to verify an individual’s point of departure and destination, the purpose of their journey and whether they have means of subsistence for their intended trip. An individual’s documentation and baggage may be inspected for these purposes, as well as to ensure that they are not a potential danger to public security. Certain travel authorisation holders may have ‘flags’ attached to their file – potentially as a result of the automated profiling system – indicating that EU border guards should take them aside for further questioning.
An EU-wide ID database for travellers
Assuming an individual is granted entry to the Schengen area, their data will be accessible to a wide variety of officials. Under the EU’s ‘interoperability’ agenda, “identity data” from both visa applications and travel authorisations – names, date and place of birth, sex, travel document data, fingerprints and a photograph – will be stored in a new database called the Common Identity Repository (CIR). Other data relating to the application – for example, the purpose of travel or the applicant’s occupation – will remain in the respective EU databases, the Visa Information System (VIS) and the European Travel Information and Authorisation System (ETIAS).
Under the interoperability plans, data in the CIR will be made available to hundreds of thousands of police officers and other state officials across the EU. The database is designed to facilitate identity checks, assist in law enforcement investigations and the detection of possible identity fraud, and even to help with the rather gruesome task of identity dead people. Given that the underlying visa and travel authorisation databases were not established with all these purposes in mind, one critic of the interoperability initiative has remarked that it equates to pulling “a new legal basis out of a hat, after you have already collected personal data.” The intention to facilitate identity checks, meanwhile, is likely to indirectly encourage an increase in racial profiling.
Even after an individual leaves the Schengen area, their data will remain available to law enforcement authorities investigating terrorism and other serious crimes, and will also be used to feed the automated profiling system and for the development of ‘risk analysis’ by Frontex, the EU’s border agency. You may only be permitted to visit the EU for a short stay, but your personal data will be taking up long-term residence of up to five years.
Your personal data is going on a journey
The changes being introduced to the visa and travel authorisation application procedures raise a number of overarching issues. The first is that if these new systems are to function correctly, then accurate data is of paramount importance. However, it has been known for years that existing EU databases are riddled with errors, and it is only now that EU institutions and national governments are trying to work out ways to ensure the quality and accuracy of the data they hold. Without guarantees on data quality, the risk of errors that may result in irreparable harm to individuals is massively increased.
Secondly, it is well-established that the authorities have trouble coping with the amount of data they have. There is no shortage of cases in which criminal acts have been carried out by people already known to the authorities – whether they are migrants or European citizens. The idea that more state storage of data will inherently keep us safe from potential ‘threats’ is severely lacking in credibility. Vastly increasing the storage of data on foreign nationals is also particularly worrying at a time when EU governments are subverting democratic norms whilst presenting foreigners as scapegoats for society’s ills. Assuming that sensitive personal data on tens of millions of non-citizens can be centrally stored with no potential political risks in the years ahead is extremely dangerous.
Thirdly, the technologies being deployed are untested, despite raising huge risks, in particular with regard to the potential for unlawful discrimination. Nowhere is this clearer than in the case of the profiling system being introduced for visa and travel authorisation applicants. Non-EU citizens will effectively be guinea pigs for a range of unproven tools and technologies that may lead to serious restrictions upon their fundamental rights.
A fourth overarching issue concerns the possibility of those affected by these systems to access an effective remedy. Numerous different data protection regimes (both EU and national) will govern the use of these systems. This will lead to significant legal complexity that will be exacerbated by the fact that anyone seeking to exercise their rights will face a legal system with which they are unfamiliar and which functions in a language they may not speak fluently, if at all. Exactly how states will ensure that the rights provided on paper are effective in reality remains to be seen.
While, formally-speaking, there has been democratic scrutiny of the new rules, it is well-established that the EU’s law-making process is largely opaque to all but those participating in it and unintelligible to non-specialists who do not have the time to accustom themselves to the jargon of ‘trilogues’ and ‘comitology’. Over the last five years, EU policies on the processing of non-citizens’ personal data have expanded and accelerated significantly, largely out of the public eye. Far greater scrutiny should be afforded to how these systems work in practice, as well as the development of future initiatives in this field.