EU’s entry/exit plan needs more thought

The European Data Protection Supervisor, Peter Hustinx, has warned that recently announced plans to revolutionize Europe’s outer borders with a biometric-based entry/exit system have far reaching consequences from a privacy perspective, a fact that powers within the EC seem relatively un-interested in discussing.

He said in a statement: “It is very regrettable that the EDPS has not been consulted in the preparation of the communications or in the course of the impact assessment of the first communication. The national data protection authorities have not been consulted either. This gives the overall impression that this aspect was considered less relevant by the European Commission than purely technical aspects.”

While, Hustinx agrees that improving management of migration flows and preventing illegal immigration and possible threats to the security are all legitimate purposes, he warned that “several of the envisaged measures entail the processing of vast amounts of data, involving the collection, consultation and possible sharing or pooling of these data.”

The consequences of these processing operations, Hustinx argues, is that people may be wrongly refused entry to the EU territory and a great number may be subjected to more intrusive admission procedures at the border. “It is therefore crucial that the impact on the privacy rights of individuals concerned is adequately taken into account. A lack of data protection safeguards does not only mean that these individuals might suffer unduly from those measures, but also that the measures will be less effective, or even counter productive, by diminishing public trust in government action.”

The EDPS is concerned that far reaching proposals implying surveillance of the movements of individuals follow each other at an amazing pace. Many proposals have been or are about to be tabled in this area (SIS II, VIS, review of Eurodac Regulation, access of law enforcement agencies to these systems, PNR, etc.). All these proposed measures are intended to contribute to the monitoring of travelers before and upon entry to the EU (or Schengen) territory.

The sheer number of these proposals and the seemingly piecemeal way in which they are put forward make it extremely difficult for the stakeholders (European and national Parliaments, data protection authorities including EDPS, civil society) to have a full overview, Hustinx said.

The EDPS said he would like to see evidence that there is a master plan for all these initiatives, giving a clear sense of direction. Such a general plan would greatly help to analyse the impact of the totality of these measures on the travellers (in third countries, at entry or within the EU territory) and to design appropriate safeguards.

The EDPS drew attention to the reports of the United States Government Accountability Office concerning the US-VISIT system. One of the most recent reports expressed serious concerns about the prospects for successfully delivering an operational exit solution and underlined clearly the challenges of the building of such a system.

Over 4 years, the American Department of Homeland Security has invested about $1.3 billion and delivered basically one-half of US-VISIT. Over the same period, US-VISIT has allowed to take action (including denial of entry) against a little more than 1500 people. This suggests that the cost effectiveness of such a system is not guaranteed, argued Hustinx.

The EDPS was also concerned about the seemingly heavy reliance on the use of biometric elements, noting that revocation of biometric data is almost impossible and that a certain percentage of persons concerned will not to be able to enrol (because they

have no readable fingerprints or no fingerprints at all).

The EDPS said that the EC’s communication envisages synergies between the VIS, the entry/exit system and the proposed Registered Traveller programme. It even considers a merging of the VIS and entry/exit databases. The EDPS considers this as premature.