As the final comment says: “If you build in more power for authorities, you need more safeguards for citizens as well,” she added. “That is not happening here.”…
The European Union is about to become a lot safer — at least on paper.
Lawmakers are set to approve plans for an enormous new database that will collect biometric data on almost all non-EU citizens in Europe’s visa-free Schengen area. The database — merging previously separate systems tracking migration, travel and crime — will grant officials access to a person’s verified identity with a single fingerprint scan.
The question, say the plan’s critics, is whether it truly represents an improvement to safety — and whether it adequately takes into account concerns about civil liberties and privacy.
Data protection experts warn the database, which is set to be approved in the European Parliament Tuesday, will be unnecessarily invasive. Intended to help law enforcement authorities better track and monitor terrorists, criminals and unauthorized immigrants, it could instead undermine the EU’s own data protection laws and lead to serious rights violations, especially for migrants and minorities.
The idea of interconnecting European databases has been floating around EU institutions for some 15 years
On top of that, said Reinhard Kreissl, the head of the Vienna Centre for Societal Security and a former member of the European Commission’s Security Advisory Group, it could be useless, or even counterproductive.
Most law enforcement agencies are already drowning in data, said Kreissl.
“There is the famous expression ‘seeking the needle in the haystack,’” he added. “So, we have millions and millions of data of individuals and someone in there is a terrorist, but we don’t know how to find them. What do you do if you increase the haystack? It is much more difficult to find the needle.”
The idea of interconnecting European databases has been floating around EU institutions for some 15 years, but was previously dismissed as too problematic.
A single, overarching EU information system would “constitute a gross and illegitimate restriction of individuals’ right to privacy and data protection,” the European Commission said in 2010, adding that it would “pose huge challenges in terms of development and operation.”
The equation changed in 2015, a year that saw deadly terrorist attacks in Paris and Brussels and the arrival of more than 1 million migrants and refugees. In 2017, the Commission put forward its “interoperability” proposal to reduce identity fraud and more easily identify non-EU nationals in Europe; it then presented an amended version in July last year and has said it hopes to have the new measures in place by 2023.
The legislation will “fix fragmentation of European efforts to enhance security, close information gaps and address the risks of terrorists and serious criminals crossing our borders undetected,” Dimitris Avramopoulos, the European commissioner for migration, home affairs and citizenship, said in an emailed statement.
“It is good news if you care about fighting identity fraud,” said Dutch MEP Jeroen Lenaers, a European People’s Party representative who steered the legislation through the Parliament, in a debate at the end of March. “It is good news if you care about giving our police officers, our border guards, our custom guards, the right instruments to do their jobs and also very helpful with the elections coming up.”
The new centralized database, known as the Common Identity Repository (CIR), will hold up to 300 million records containing biometric and biographic data — including fingerprints, photographs, names, addresses and other information — on almost all non-EU citizens in the Schengen area. It will also include data on some EU citizens.
The data in the CIR will be taken from five systems. Two of them — containing asylum seekers’ fingerprints and data on short-stay visa applications — are already up and running.
The proposed legislation comes with a hefty price tag
Two others include a system to replace passport stamps by recording all crossings of non-EU citizens into and out of the EU and a program that will require visitors who don’t require visas to apply for entry to the EU prior to travel.
The last piece of the puzzle — a record-keeping scheme designed to make it easier for national authorities to know whether foreigners have previous criminal convictions in the EU — will also hold data on EU nationals with dual citizenship.
The proposed legislation comes with a hefty price tag: Brussels has set aside €425 million between 2019 and 2027 for interoperability, with countries expected to pay some of their own costs. Germany estimates it will need to spend up to €92 million. The creation of the new border crossing and travel authorization systems as part of the plan will cost the EU another €690 million.
The proposal is expected to be approved without major obstacles in Tuesday’s vote in Parliament, before it is sent to the Council of the European Union for a final review, officials with knowledge of the process said, some of whom voiced concern over the speed of the process.
“Everything is rushed,” said a European Commission official. “I don’t think anyone understands what they’re voting for.”
“There was much lobbying behind the scenes,” said a European Parliament official close to the discussions.
Meet the monster
The push to bundle EU data into one “monster database” — as German Green MEP Romeo Franz described it — is based on the idea that the more information the bloc collects, and the more harmonization there is between its different databases, the safer it will be.
But some security experts question that logic.
Giovanni Buttarelli, the European data protection supervisor, has warned of a potential “panopticon in which all our behavior is considered useful for investigative purposes and must be made accessible because fighting crime is given priority.”
The merging of data from five databases designed for different purposes is “drilling a loophole” into a key aspect of EU law, according to a European Parliament adviser who asked to remain anonymous.
The EU’s privacy laws — including the General Data Protection Regulation (GDPR) — state that personal data must be “collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”
And yet, data collected in the CIR database will be used for “purposes distinct from those of the original collection,” according to the Article 29 Working Group, an advisory group made up of representatives from the national data protection authorities of individual EU countries.
This was “intended from beginning,” the group concluded.
Others have raised similar fears over the CIR, which will be accessible to police officers carrying out identity controls in the street
The data will feed into another new system, also introduced by the interoperability proposal, known as the Multiple Identity Detector (MID).
This system will scan the data in the CIR and the Schengen Information System (SIS) — which holds information on over 930,000 people including criminals, missing people and non-EU nationals who have been refused entry or stay in the Schengen area.
If two separate files in these systems have the same name and address, but different biometric data, the MID will create a “yellow link” between them. It will then be up to national authorities to investigate whether the link is justified and merits further inquiries.
The mechanism will “lead to disproportionate processing of personal data” because it will inevitably generate vast numbers of false links, according to Teresa Quintel, a data protection specialist at the University of Luxembourg.
It will also result in significant amounts of work for national officials, and could lead to an increase in otherwise unwarranted questioning of non-EU nationals, Quintel noted.
Others have raised similar fears over the CIR, which will be accessible to police officers carrying out identity controls in the street. The EU’s Fundamental Rights Agency has warned that these new powers introduce “a severe risk of discriminatory profiling” against minority groups.
“In principle, we need a better European cooperation of justice and home affairs,” said Dutch MEP Sophie in ‘t Veld of the Democrats 66 party, part of the liberal ALDE group in the European Parliament. “But this interoperability proposal is premature and has lots of in-built weaknesses.”
“If you build in more power for authorities, you need more safeguards for citizens as well,” she added. “That is not happening here.”
Caitlin L. Chandler is a freelance journalist based in Berlin. Chris Jones is a freelance journalist based in London. Petra Sorge and Ludovica Jona contributed reporting.
The reporting for this story was supported by the Otto Brenner Foundation and an Investigative Journalism for Europe grant (IJ4EU).