Interoperability Regulations n. 817 and 818 of 2019 establish a framework for the interoperability of the six Large-Scale IT systems currently existing or of soon implementation in the area of freedom, security and justice, namely the Schengen Information System (SIS), the Visa Information System (VIS), the Entry Exit System (EES), the European Travel Authorisation System (ETIAS), the European Dactyloscopy System (Eurodac), and the System for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN). Currently in its implementation phase, the legal framework of the sister Regulations is mostly unclear because of the highly technical wording used by the EU legislator. Despite this, the huge IT novelties introduced under the Interoperability framework are already raising important reflections on the use of biometric technology for identification purposes – see for example Matthias Leese.
Interoperability Regulations will allow the correct recognition of individuals at the borders and through the Schengen area as regulated under its new Article 20. Interoperability Article 20 shall be seen as the cornerstone of the latest improvement in the field biometric technology which extends the Automated Biometric Identification System (ABIS) to the new generation of centralised JHA systems – a study on the implementation of the ABIS on SIS is available here. Under this provision, police authorities are allowed to consult the Common Identity Repository (CIR) to identify individuals by relying on the biometric identification technique – i.e. the so-called one-to-many search. For this purpose, the CIR will store the identity data of all third country nationals already registered in one of the underlying IT systems so as to assign an identity file to each person. In this way, police authorities are facilitated in the retrieval of a migrant’s identity data thanks to the biometric consultation of the individual files stored in the CIR.
The processing of identity information and especially the use of a special category of personal data call into question the proportionality of Article 20 in the light of the fundamental right to the protection of personal data enshrined in Article 8 of the EUCFR. Its lawfulness with regard to the data protection legislation was successfully assessed provided that its scope of application was restricted to five specific circumstances listed in its first paragraph. Only in these cases police authorities may consult the CIR but “[…] solely for the purpose of identifying a person […] with the biometric data of that person taken live during an identity check”. Nevertheless, during the negotiations of the Interoperability package Article 20 raised many concerns as to the right to the protection of personal data of individuals subjected to a biometric identification. As a consequence, this provision has been imbued with a set of guarantees aiming at preventing its abuse.
- First, the risk to attribute the wrong identity through the lecture of biometrics is highly elevate when personal data are matched with millions of records previously registered in a centralised system. For this reason, biometric identification shall be conceived as a last resource instrument that shall be used only when recognition is not otherwise possible, e.g. the verification of individuals identities with a valid travel document.
- Second, facial recognition may allow the use of long-distance recognition practices that eventually flow into mass surveillance systems – on this concept, see the ECJ case-law. For this reason, Article 20(2) specifies that identification shall be initiated always in the presence of the person.
- Lastly, the deployment of identity checks based on suspicious or targeted persons may infringe the no discrimination principle whose prohibition is recalled under Article 5 of the Interoperability Regulations, which enhances the protection envisaged under Article 21 of the EUCFR.
On the contrary, while Article 20 explicitly declares that the access to the CIR to retrieve the identity data is limited to police authorities, a systematic interpretation of the legal texts reveals that the aim of identification may be wider – compare the definition of Directive 2016/680 Article 3(7) with Article 20(5) of the Interoperability regulations and the related impact assessment. In this sense, biometric identification would not be circumscribed to police purposes of preventing, investigating, detecting or prosecuting criminal offences or executing criminal penalties, but also to the prevention of and combat against illegal migrants. This uncertainty is aggravated by the fact that Article 20 will play a major role not at the borders where identity checks are already executed under Article 77(2)(b) of the TFEU, but within the territories of the Member States.
As reiterated by the European Data Protection Supervisor (EDPS), identification cannot constitute a purpose in itself but shall pursue a specific objective underpinned by a valid legal basis under the TFEU. While identity checks for police purposes may be justified in the light of the EU competence of maintaining a high level of security within the area of freedom, security and justice – see Article 67 of the TFEU – the deployment of territorial identity checks for migration purposes cannot be justified in the light of the Schengen Border Code requirements of lawful access to the Schengen area, but only under the EU competence to fight against illegal immigration and unauthorised residence caged under Article 79(2)(c) of the TFEU. In this sense, the EU legislator is entitled to regulate the execution of identity checks within the territory of the Member States not only of those migrants who have crossed the external borders without authorisation – and will be subjected to an ex post-entry screening procedure – but also to identify those staying in the Schengen area in an irregular form – interestingly, the latter category would also include migrants whose irregular status derives from a breach of national provisions, e.g. in case of a long stay residence. However, the identification of third country nationals within the territories of the Member States cannot be deployed in a systematic manner without undermining one of the fundamental principles underpinned under the JHA area: the establishment of an area without any control on persons enshrined in Article 77(2)(e) TFEU that specifically includes migrants – see also the ECJ opinion on the equivalent effect doctrine in Atiqullah Adil here. The execution of these checks shall be restricted to specific cases where there are suspicious that the individual is laying in the territory in an irregular form or in the field of random controls on persons that shall be executed in a non-discriminatory way.
The debate around the lawfulness of Article 20 shall be promoted a fortioti after the presentation of the New Pact on Migration and Asylum last 23 September 2020 which among the proposals entails the one advanced by the Commission to establish a new border procedure known as pre-entry screening. According to this proposal, migrants who have eluded border controls and have entered the Member State’s territory irregularly will have their biometric data transmitted to the Eurodac system, whose future recast will evidently establish a turning point toward the registration of irregular migrants over asylum seekers – a last remaining category of irregular migrants whose data are not yet recorded in any underlying IT system has been included within the scope of the new proposal, namely those persons who disembark following a search and rescue operation. Once the Eurodac Regulation will be adopted, the identity data of these categories of persons will be stored also in the CIR for the Interoperability purposes and, concretely, its Article 20. In this sense, Interoperability will support border guard authorities in channelling the migration flows by rapidly recognising third country nationals through the implementation of systematic biometric checks that ensures the fast identification of individuals.
Now, for the purpose of Interoperability this new procedure constitutes an enlargement of the scope of Article 20 that not only risks voiding the guarantees established under Article 20 in a disproportionate way, but also fuels the debate on the normalisation of biometric checks within the territories of the Member States – see Article 19 of the proposal.
First, the pre-entry screening proposal does not relegate the identity checks to a subsidiary function with respect to the identification of individuals whose identities cannot be ascertained otherwise – see Article 10 of the pre-entry screening proposal that allows consulting the data stored in the CIR tout court. Therefore, biometric identification of individuals becomes here the principal purpose for the processing of personal data which hardly conciliates with the principle of necessity and proportionality for which identity has to be ascertained with a less intrusive mechanism – on this rationale, see also Article 14 of the EES Regulation that foresees different types of identity checks in the procedure for entering data in the EES system. According to these principles, identity checks shall be regulated in a progressive manner so as to respect the individuals’ right to the protection of personal data safeguarded under Articles 8 and 52(1) of the EUCFR – among others, Digital Rights Ireland Ltd and Tele 2 Sverige AB.
Second, the amendment to Interoperability’s Article 20 will provide for new consultation rights. The pre-entry screening procedure does not clarify which authorities are competent for conducting the identity checks, but it is foreseeable that a larger number of authorities than those contemplated under the current Article 20 will be involved, among which border guard authorities – see Article 6(7) recalled by Article 19. The consultation of the CIR by border guard authorities will enlarge the right to access the identity data stored therein which, according to the EDPS, may lead to a function creep issue. Indeed, even if border authorities have already been granted access to almost all underlying IT systems – for the moment, the unique system that lays out of their control is the ECRIS-TCN – we shall not forget that the access to the CIR for identification purposes is establishing a new different purpose to the underlying IT systems but this one was limited to police authorities only, in the terms analysed above – on the application of the multipurpose principle in the IT systems and Interoperability see Evelin Brouwer and Niovi Vavoula, the latter focusing on the progressive access of law enforcement authorities to borders, migration and asylum database.
Last but not least, although the identification of third country nationals under the pre-entry screening procedure will play a major role at the EU external borders so as to speed up the frontline procedures, the pre-entry screening Regulation will also enhance the use of Article 20 within the territories of the Member States. Hence, this procedure is potentially directed also to third-country nationals “[…] apprehended by the police or other competent authorities in the territory of a Member State while not fulfilling the conditions of entry and stay […]” in line with the scope of application of Interoperability Article 20 – emphasis ours. However, differently from the huge legal basis that supports the Interoperability reform, the pre-entry screening proposal is not underpinned by Article 79(2)(c) but by Articles 77(2)(b) and (d) of the TFEU. As such, our impression is that the EU legislator is stretching its competence on the controls and management of external borders toward the territory of the Member States. Yet, as already highlighted above, while systematic identity checks are justified at the external borders to accomplish the requisites of entry to the Schengen area, these cannot be routinely executed within the territories of the member States since the scope of the latter is limited to the specific grounds of security or illegal migration.
All in all, the extension of the scope of application of Interoperability Article 20 under the pre-entry screening proposal confirms that the hybrid nature of biometric checks tends more to the management of migration flows than to the criminal section. Concretely, the biometric identification of third country nationals will address a crucial weakness of the EU migration and asylum policies, that is to say, the recognition of undocumented migrants. In this way, the use of biometric identification techniques is creeping into the different policies that integrate the JHA area which might constitute a first step toward the social acceptance of new digital identities that are directed to the improvement of efficiency public policies.