EU states failing to uphold immigration data safeguards amidst renewed push for deportations
Topic
Country/Region
05 June 2025
EU member states are violating laws designed to protect individuals from data abuse by police and immigration authorities, according to an official report. This should be a major cause for concern, given plans to introduce new laws to deport more people and ban them from returning to the EU. However, the report does not even name the countries that are failing to follow the law, posing massive challenges for democratic scrutiny and accountability.
Support our work: become a Friend of Statewatch from as little as £1/€1 per month.
The European Commission, Brussels. Image: Eric Holcomb, CC BY-NC 2.0
The largest police and migration database in Europe
In the beginning, there were open borders.
That’s one of the most commonly told stories of European integration.
But with open internal borders came compensatory measures, such as the exchange of information about people deemed risky or dangerous, missing people, victims and witnesses of crime, and objects such as stolen cars or identity documents.
People to be refused entry into the Schengen area – originally classified as “unwanted aliens” – were another category of person covered by the rules.
To store and exchange this information, states created the Schengen Information System (SIS), which has become the EU’s largest and most widely used law enforcement database.
From policing crime to policing migration, while lowering data protection standards
Over the years the focus of the SIS has shifted from criminal law to migration governance. This has come at the cost of essential fundamental rights safeguards, argues the academic Jonas Bornemann.
Legal changes that came into force in 2023 oblige states using the SIS to register an entry ban in the system in nearly all circumstances when a deportation order has been issued against a person.
This was meant to “pave the way for mutual recognition of return decisions [deportation orders] between Member States.” This “mutual recognition” means each Schengen state has to enforce deportation orders issued by any other Schengen state.
Enforcing mutual recognition of deportation orders is also one of the key elements of the deportation Regulation proposed by the European Commission in March this year.
Another element concerns people posing security risks and will involve an early screening that can result in mandatory forced return, longer entry bans, separate detention grounds.
Since the start of the operation of the new system in 2023, the number of alerts on persons in the system has increased by 23%. This is a result of the more than 321,000 alerts on people facing deportation orders.
That number is growing: journalists Nidžara Ahmetašević and Emina Bužinkić report that in the first nine months of 2024, EU member states issued “327,880 expulsion orders, with 27,740 people forcibly removed between July and September.”
To try to accelerate deportations, the proposed new Return Regulation will introduce fast-track examinations of the proportionality of deportations, with the deporting state basing its assessment on information stored in the SIS.
Two years ago, when the new SIS rules entered into force, the Commission trumpeted its “strict requirements on data quality and data protection.”
The standards in the SIS are however, according to academic Izabella Majcher, weaker than those in the EU’s General Data Protection Regulation and the Council of Europe’s convention on data protection.
Majcher’s work shows how applicants have little capacity to seek redress if their information is wrongfully registered in the system. Law enforcement authorities, meanwhile, have considerable leeway to bypass data protection standards.
Shedding light on police mismanagement
The original Schengen rules agreed in 1985 obliged member states to respect data protection standards.
This included a right for individuals to request access to their data – though this did not mean they would have an automatic right to access it.
Requesting access to your file would be useful, for example, if there was an entry ban against you, but you did not know why.
In the case of Western Saharan activist Mohammed Rabbani, having access to his file led an Italian court to rule that it be deleted – along with the entry ban against him.
The SIS rules make it possible to deny access requests on grounds of national security. States initially introduced different regimes for deciding when security should trump transparency.
Some allowed national data protection supervisory authorities to process access requests, and to “decide whether information shall be communicated and by what procedures.”
Others gave this power to the law enforcement agencies responsible for gathering, sharing and using the data.
However, the EU’s Law Enforcement Directive, agreed in 2016, requires verification by an independent supervisory authority of what data are being stored about a person, and if an authority’s refusal to provide access to their data is justified.
This was followed by the rules on the SIS that came into force in 2023. These say that when an access request is refused, the authorities must:
“…document the factual or legal reasons on which the decision not to provide information to the data subject is based. That information shall be made available to the supervisory authorities.”
In other words, self-assessment of access requests is no longer an option for law enforcement authorities. There must be an independent assessment of individual data access requests.
Ignoring the law, with no consequences
These legal changes do not seem to have been taken into account across the EU.
The European Data Protection Board (EDPB) is an EU body composed of the head of the data protection authority of each member state, as well as the European Data Protection Supervisor. The EDPB’s job is to ensure data protection law is applied in a consistent way across the EU.
Earlier this year, the EDPB published a report on the individual right of access to data stored in the SIS – the first ever such report.
It says that “not all EU countries have correctly implemented the indirect access obligation set out in article 17 of the Law Enforcement Directive.”
The indirect access obligation means that not all supervisory authorities have been granted the power to carry out all “necessary verifications” to guarantee to an individual that their rights are being respected. For example:
- whether there is no data about them stored in the SIS;
- if there is data stored about them, whether it is correct; or
- that a refusal of access is based on legally sound, balanced and documented reasons.
Despite this finding, the EDPB report concluded that variations in the data obtained from member states left them unable to draw any conclusions regarding data subjects’ rights under SIS.
This is a conservative observation and a missed opportunity to engage with member states’ failure to respect the right of access.
At the very least, the EDPB could have named the member states failing to follow the law. This would have helped applicants to dispel doubts about the adequacy of remedies and the transparency of the system.
Asked by Statewatch for the names of the member states that have “not correctly implemented the indirect access obligation,” the EDPB proposed contacting the European Commission, “as they are in charge of the Schengen evaluation reports and of monitoring the application of EU law.”
In the years to come, even more data will be recorded in the SIS, to facilitate deportations.
In February, the Polish Presidency of the Council of the EU lamented the lack of biometric data attached to deportation alerts because of restrictions in some national legal systems.
This concern was addressed in the proposed deportation Regulation. If passed as proposed, third-country nationals will be obliged to provide biometrics – facial images and fingerprints – to facilitate their removal. National authorities will then have to include it in the deportation alert.
The President of the European Commission claims that the swifter removal of people will be done while fully respecting fundamental rights and international law. Along with the ongoing violence that is fundamental to forced removals, violations of data protection rights are also clearly being ignored.
Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.
Further reading
Italy: The end of the systematic denial of data protection rights?
Italy has been systematically denying people access to data about them stored in Europe’s largest policing and immigration database, statistics obtained by Statewatch show. Much of the data in question concerns entry bans and deportations orders. Knowing what information is stored is vital for peoples’ livelihoods and even their survival. EU institutions have known for years that mechanisms for the protection of individual rights were lacking. Now, victory in a long legal struggle may force the Italian state to comply with its obligations.
Deportation camps: EU member states want to “prevent judicial scrutiny”
Agreements between the EU and non-EU states on so-called “return hubs” should be “framed in flexible way” to “prevent judicial scrutiny.” This is according to a document produced by the Polish Presidency of the Council in February, obtained and published by Statewatch.
Polish government proposes life-long EU entry bans for deportees
In the coming months, EU institutions will start negotiating a new law to increase deportations. EU governments want their positions taken into account in the European Commission’s forthcoming proposal. The Polish government has proposed banning deportees from EU territory for “an indefinite period of time,” alongside other coercive measures.
Spotted an error? If you've spotted a problem with this page, just click once to let us know.