Conclusions: Your personal data is going on a journey

This report is available in PDF format here.

The EU is constructing a number of new systems for the screening, monitoring and tracking of international travellers that places them under an increasing veil of suspicion. Justified primarily in the name of ensuring security, all non-EU citizens attempting to visit the Schengen area will have their biometric and biographic data registered in large centralised databases, where it will be cross-referenced against a host of other systems and used to feed new databases, profiling tools and watchlists and used for a multitude of purposes beyond the processing of visa and travel authorisation applications. This raises a number of immediate and more long-term concerns that require further investigation, reflection and action.

Extended data-gathering and processing

The process of making an application for both visas and travel authorisations will require the collection of more personal data from a far greater number of people than at present. While the forthcoming rules on visa applications do not introduce significant new categories of personal data to the system, they will vastly expand their scope, by lowering the age limit for fingerprinting to just six years old. The biometric data of up to a million more children will be stored as part of the visa process. The rules on travel authorisations, meanwhile, require the collection of various types of personal data from travellers who currently are not subject to any such regime, including on their education, employment, criminal records and more.

Feeding a new identity database

The mere collection and storage of any personal data has to be necessary and proportionate if it is to be considered legitimate. However, the new troves of data that will be held on visa and travel authorisation applicants are also intended to undergo significant further processing. ‘Identity data’ – names, date and place of birth, sex, travel document data, fingerprints and a photograph – are to be stored in a vast new database, the Common Identity Repository (CIR), which is being introduced to facilitate police identity checks within the EU and to ease the use of other new technologies, such as the forthcoming Multiple Identity Detector (MID). This is just one of an array of tools that are being introduced in order to judge whether travellers are ‘risky’ or not.

Automated database checks

In a significant departure from current practice, there will be automated checks of all visa and travel authorisation applicants against a wide variety of national, EU and international databases concerning asylum policy, criminal records registries, police alerts, lost and stolen documents and border crossings, amongst other things, while automated checks through the Multiple Identity Detector will try to establish whether a false identity is being used. Whether these new procedures will yield a significant number of results remains to be seen. However, it is important to note that, for travel authorisation applicants in particular, this is a fundamental shift to being treated a priori as potential suspects. Furthermore, it has been well-demonstrated that Interpol’s systems for reporting lost and stolen travel documents have been widely-misused, and this provides a further opportunity for such nefarious activities. The fact that travel authorisations will be automatically refused if an individual’s travel document is reported as lost or stolen with Interpol is an issue of particular concern.

Automated profiling and the risk of discrimination

Perhaps the most troubling of all the new elements being introduced to the visa and travel authorisation procedure is the automated profiling system. The EU’s Fundamental Rights Agency, commenting on the proposal to introduce the ETIAS, remarked that there is “limited research available on the feasibility of using risk indicators without engaging in discriminatory profiling,” and that such a system should only be introduced if a test phase demonstrates the necessity and proportionality of doing so.[1] There has been no such caution in the approach adopted by the EU and the functioning of these systems must be subject to close scrutiny from public institutions and civil society.

‘Pre-crime’ watchlist

A further dangerous novelty comes in the form of the new ‘watchlist’ being introduced for the ETIAS and the VIS, which will contain data on people suspected of having committed crimes in the past, as well as those who it is believed may commit crimes in the future. The watchlist is being introduced despite the EU already having a range of such options at its disposal: for example, by storing alerts in the SIS, in the data held by Europol, or on the terrorism sanctions lists it maintains. The need for this new system is unclear and the safeguards largely rely on law enforcement authorities checking their own practices. As with the profiling function, critical oversight and examination of the watchlist function will be required in the years to come.

Outsourced border controls

Once a visa or travel authorisation is accepted, the applicant will be able to travel to a Schengen border. The network of control that is exercised over potential visitors to the EU is also being expanded to this stage of the process. Carriers, such as airlines or coach companies, will serve as outsourced border guards, obliged to check all non-EU citizens’ documents against the VIS and ETIAS databases to see whether their papers are in order. While this is not an entirely new role for travel companies, the introduction of new technologies and the expansion of ‘permission to travel’ requirements to non-EU citizens not subject to a visa obligation represent new links in the chain of scrutiny and control being placed upon non-EU citizens who wish to visit the Schengen area.

Queries at the border

At the border, an individual’s personal data will once again be screened against a panoply of national, EU and international databases and their personal data will be stored in another new database, the Entry/Exit System (EES). This will hold the biometric and biographic data of almost all visitors to the Schengen area and will be used to determine whether they have stayed longer than permitted. More traditional enquiries, such as questioning and searches, may also be made of travellers, but these too may be informed by new technologies. In particular, the function allowing officials who approve a travel authorisation to ‘flag’ an individual of interest to border guards may result in unwarranted or discriminatory questioning or searches at the EU’s borders.

Checks in the Schengen area

Within the Schengen area, these new databases will also play a role in the monitoring of travellers. The CIR is intended to facilitate police identity checks within the territory of the member states, and officials who are authorised to use the VIS, ETIAS and EES will also be given access to the underlying data held in those systems, such as data from a visa application file or travel authorisation. While the VIS, ETIAS and EES legislation allows for the use of the systems for identity checks, the rules governing the CIR are far more permissive and lack the necessary checks and balances that might help mitigate the use of the system as part of ethnic profiling operations. Indeed, the very existence of the CIR is likely to indirectly encourage the use of ethnic profiling in police work, as it will consist of a vast new dataset entirely on non-EU citizens. In combination with access to the VIS, ETIAS and/or EES, ordinary police officers will be granted access to a significant amount of data about a person, their travel history and their personal circumstances.

After departure

Even after an individual has left the Schengen area, their personal data will have a long afterlife. Files will remain in the VIS for five years, in the ETIAS for three years (with a possibility for a three-year extension, subject to the traveller’s consent) and in the EES for three years (or five years if no exit is logged). These retention periods will ensure the availability of the necessary raw material – that is, personal data – for the construction of the profiling tools, may be accessed in the course of criminal investigations, and will be processed every time any other individual makes a visa or travel authorisation request, or the new Multiple Identity Detector is launched.

Data quality

A number of overarching issues accompany these changes. The first is that if these new systems are to function correctly, then it is of paramount importance to ensure that the data they use is accurate. However, it has been known for years that existing EU databases are riddled with errors, and it is only now – as new systems are under construction and existing ones are being expanded – that EU institutions and national governments are trying to work out ways to ensure high-quality, accurate data is entered and used. Combining the data of tens of millions of people in new databases, and cross-checking that data across a multitude of systems, massively increases the risk of errors that may result in irreparable harm to individuals.

Data overload

Secondly, it is also well-established that the authorities have trouble coping with the amount of data they have. There is no shortage of cases in which criminal acts – including terrorism – have been carried out by people already known to the authorities. The idea that more state storage of data will inherently keep us safe from potential ‘threats’ is severely lacking in credibility. The plans to vastly increase the storage of data on foreign nationals is also particularly worrying at a time when EU governments have shown themselves all too willing to subvert democratic norms and the rule of law whilst presenting foreigners as scapegoats for society’s ills. There are huge potential dangers in the assumption that sensitive personal data on tens of millions of non-citizens can be centrally stored with no potential political risks in the years ahead.

Non-citizens as guinea pigs

Thirdly, the technologies being deployed are untested, despite raising huge risks, in particular with regard to the potential for unlawful discrimination. Nowhere is this clearer than in the case of the profiling system being introduced for visa and travel authorisation applicants. Non-EU citizens will effectively be guinea pigs for a range of unproven tools and technologies that may lead to serious restrictions upon their fundamental rights. The fact that these new systems almost entirely concern only non-EU citizens is perhaps one reason why the use of dubious, untested technologies is taking place with so little public interest and scrutiny. The risk of ‘population creep’ – that is, extending the blanket gathering of biometric and biographic data for the purposes of risk analysis and monitoring of movement to EU citizens – should be a cause for more widespread critical attention.

Access to remedies

A fourth overarching issue concerns the possibility of those affected by these systems to access an effective remedy. While the legislation contains all the relevant guarantees for data protection rights – such as to request access to one’s own data and to have it corrected or deleted in case of error – the exercise of those rights may prove challenging. Numerous different data protection regimes (both EU and national) will govern the use of these systems. This will lead to significant legal complexity that will not be diminished by the fact that anyone seeking to exercise their rights will face a legal system with which they are unfamiliar and which functions in a language they may not speak fluently, if at all. Exactly how states will ensure that the rights provided on paper are effective in reality remains to be seen. Stringent oversight from national and EU data protection authorities will be needed to ensure access to those rights, as well as to ensure the systems are not abused, but there is no indication those authorities are being provided with significant extra resources for this work.

While, formally-speaking, there has been democratic scrutiny of the new rules, it is well-established that the EU’s law-making process is largely opaque to all but those participating in it and unintelligible to non-specialists who do not have the time to accustom themselves to the jargon of ‘trilogues’ and ‘comitology’. Over the last five years, EU policies on the processing of non-citizens’ personal data have expanded and accelerated significantly, largely out of the public eye. Far greater scrutiny should be afforded to how these systems work in practice, as well as the development of future initiatives in this field.

Previous section: Step five: Departure


[1] European Union Agency for Fundamental Rights, ‘The impact on fundamental rights of the proposed Regulation on the European Travel Information and Authorisation System (ETIAS)’, 30 June 2017, p.29,


Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error