Databases for deportations

Databases and networked information systems for use by police, judicial and immigration authorities have been key to the construction of the Schengen area and the EU project to create an ‘Area of Freedom, Security and Justice’. In recent years, attention has turned to expanding existing systems and introducing new ones as part of a broader project to ensure the biometric registration of almost all non-EU nationals in the Schengen area. Furthermore, under the moniker of “interoperability”, the data held in these systems is being interconnected and used in new and controversial ways.

These databases have a key role in the ongoing efforts to step up deportations. As the Commission put it in 2017: “The apprehension, identification and monitoring of irregular migrants are preconditions for effective return,” requiring “systematic exchange of information” within and between member states and with EU agencies and institutions. Changes introduced in recent years or currently under discussion seek to assist in detecting those with no legal right to remain and ensuring that, once removed, they ‘get out and stay out’. In an attempt to further harmonise and coordinate state action, Frontex has also been given an increasing role in the design and operation of databases used to facilitate expulsions, examined in the section ‘A centralised deportations database’.


Identification and apprehension

EU systems already play a significant role in the storage of data on migrants so that they can be identified and/or apprehended. However, changes proposed and introduced in recent years will see existing databases reformed and new ones introduced to facilitate these processes. Three systems are key to this goal: the Common Identity Repository, the Entry/Exit System and Eurodac.

The Common Identity Repository (CIR) was established by 2019 legislation on the “interoperability” of information systems and is supposed to be in use by 2023. It will be a centralised database of non-EU citizens’ identity data, with a capacity of up to 300 million files. Each file will contain basic biographic data – name, nationality, date of birth and information on travel documents – and biometrics – fingerprints, a facial image, or both.[1] This data will be extracted from five existing and forthcoming EU databases holding data on border crossings, visas, travel authorisations, asylum applications, irregular migrants, and criminal convictions.[2] The primary purpose of the CIR is to facilitate identity checks by national law enforcement authorities, simplifying the process of identifying people who may no longer have the right to remain in the Schengen area.

A report published in November 2019 by Statewatch and the Platform for International Cooperation on Undocumented Migrants (PICUM) argued that the interoperability initiative represents a fundamental shift in the way personal data is processed at EU level – by taking data gathered for one purpose and using it for another, it undermines the core data protection principle of purpose limitation.[3] The report also highlighted four key problems with the CIR:

  • while the legislation contains anti-discrimination safeguards, they are extremely weak and the existence of a new centralised database may encourage racial profiling for identity checks;
  • the proportionality of allowing access to the CIR for the broad purpose of “ensuring a high level of security” is dubious – it suggests that non-EU nationals a priori constitute a security threat, yet there is no evidence to suggest that they are more likely than EU nationals to be engaged in activities threatening to public security;
  • the legislation does not precisely circumscribe the specific offences or legal thresholds that could justify access to the database, contravening EU case law; and
  • depending on the way member states implement EU rules on data protection in the criminal justice and law enforcement sector, the CIR could be used to undermine ‘firewalls’ between public services and immigration enforcement.[4]

It remains to be seen whether the authorities can implement the interoperability project by 2023, given the technical and financial challenges involved.[5] If the system is set up and works as intended, it will provide a powerful new tool for authorities hoping to detect ‘irregular’ migrants, amongst a variety of other functions.[6] It seems that EU governments and a majority of MEPs have decided that undermining basic data protection principles and increasing the risk of racial profiling are a price worth paying to achieve that end.

The Entry/Exit System (EES, intended to come into use by 2021) will establish a registry of all border crossings made by non-EU citizens entering the Schengen area with permission, replacing the ink-on-paper charm of stamps in passports with a centralised database. Long-planned and initially proposed in 2013,[7] the project was temporarily shelved before being re-introduced in 2015.[8] The EES will contain both biometric and biographic data and will automatically calculate how long an individual is allowed to remain in the Schengen area. If an exit is not recorded in an individual’s file within the required time limit, their details will be transmitted to the relevant national authorities so that they can “adopt appropriate measures.”[9] The system also has a number of other purposes, including the possibility of access to the database for law enforcement agencies.

It seems likely that making full use of the information on ‘overstayers’ held in the EES would require significant further investment in the enforcement personnel and infrastructure needed to track down and expel people,[10] an issue that does not seem to have been fully taken into account by its proponents. The Commission’s impact assessment estimated that the system would allow an increase of 33% in the number of return decisions enforced by 2026, but there is no analysis of whether national authorities would be able to cope with the extra workload.[11] Indeed, the proportionality of the system itself is also questionable, given the estimate that just one in every 1,000 people who legally enter the Schengen area will ‘overstay’.[12] Nevertheless, the combined data held in the EES and the Visa Information System (VIS, which holds biometric and biographic data on all short-stay visa applicants), will allow national authorities to “identify any undocumented irregular migrant found within the territory that crossed the external border legally.” Whether “this will in turn facilitate the return process,” as the Commission has asserted, remains to be seen.[13]

The Eurodac database is also being transformed to facilitate the detection of people who may be expelled from the EU. Initially set up solely to assist with implementing the ‘Dublin’ rules on determining the state responsible for processing an application for international protection,[14] its purposes have already been altered once, through controversial amendments approved in 2013 that opened the system up to law enforcement agencies.[15] Currently, the central database holds the fingerprints of asylum seekers (known as ‘Category 1’, whose data is stored for ten years) and individuals apprehended in connection with irregular border-crossings (‘Category 2’, whose data stored for 18 months).[16]

Proposals put forward in May 2016 would, if approved, alter the system further, adding a host of new data to be used for new purposes. Alongside fingerprints, Eurodac would also store biographic information and facial images, to “prime the system for searches to be made with facial recognition software in the future,” provided the “technical feasibility” of doing so can be confirmed. The age limit for data collection would be lowered to six years old (the limit is currently 14). Crucially, under the proposals, data would be stored for five years on “third-country nationals or stateless persons found illegally staying in a member state” (also known as ‘Category 3’). Data on this group is currently only compared to that held on categories 1 and 2, but not held in the database; by storing it, Eurodac will be transformed into a database “for wider migration purposes.”[17]

The aim of this shift is to “accelerate the procedures for the identification and re-documentation” of individuals initially apprehended in another member state and “allow identifying country of transit of irregular migrants, hence facilitating their readmission in those countries.”[18] The proposals have been heavily criticised by legal experts and NGOs. Steve Peers, Professor of Law at the University of Essex, argued that the proposals were part of the “Orbanisation of EU asylum law”.[19] The European Association for the defence of Human Rights (AEDH) accused the Commission of promoting “a security logic of control in its management of migratory flows.”[20] The European Council on Refugee and Exiles (ECRE) argued that transforming Eurodac into a system “to control irregular migration and identify migrants for return is not justified on the basis of the evidence provided,” and is “an unlawful interference with the rights to privacy and data protection.”[21] Negotiations on the proposals are ongoing.


Expulsion and exclusion

The Commission’s Renewed Action Plan on return noted that member states were using the Visa Information System “for identification of irregular migrants to an increasing extent,” but visa application data was not usually accepted as proof of identity by the authorities of countries to which EU member states were attempting to deport people. Thus, as part of a wide-ranging plan to revamp the system – including by introducing an automated profiling system, lowering the age for data collection from 12 to six years old, as with Eurodac, and introducing biometrics into long-stay visas –  proposals were put forward to store a copy of the biographic data page of every short-stay visa applicant’s travel document in the central VIS database.[22]

Under the proposed new rules, “migration and return authorities… would be able to retrieve this [centrally-stored] copy, subject to strict access rules,” avoiding the need to make contact with the embassy or consulate at which the application was made, where copies of travel documents are currently stored. The intention is clear: “to help identify and return irregular migrants.”[23] The VIS would thus become a system not only focused on ensuring the ‘right’ people enter the Schengen area, but one also aiming to get the ‘wrong’ people out.

The necessity, proportionality and desirability of the proposed changes to the VIS have been questioned by data protection and fundamental rights experts.[24] The Fundamental Rights Agency highlighted the need for safeguards over the sharing of data from the VIS with non-EU countries for the purposes of preparing an individual’s expulsion.[25] An issue overlooked in these analyses is that the use of the VIS for ‘return’ purposes is not one of the primary purposes of the system. As a secondary (or “ancillary”) objective,[26] it should not determine the data to be stored in the system – but this is the only reason that copies of the biographic data page of applicants’ travel documents will be stored. As with Eurodac, negotiations on the proposal are ongoing, but neither the Council[27] nor Parliament[28] position fundamentally alters the provisions related to return proceedings.

Perhaps the most extensive changes to an existing EU database are those being made to the Schengen Information System (SIS), for which renewed legislation was approved in 2018.[29] The majority of alerts on persons held in the system have long been on “third country nationals to be refused entry or stay into the Schengen area,”[30] and one key aim of the new rules is to increase the number of entry bans stored. The system will also be more extensively used for enforcing expulsion orders.

Figure 1: Entry bans in the Schengen Information System, 2013-18

The inclusion in the SIS of return decisions was for many years dependent on differing national laws, meaning they were not systematically entered in the system. In its proposal for the new SIS rules, the Commission argued that this meant individuals could “avoid or prevent the enforcement of an existing [return] decision by simply moving to another member state,” where the authorities might apprehend the person in question, but be unaware of the existing decision. In such cases “the apprehending member state would therefore need to re-launch return procedures from scratch, further prolonging the illegal stay and delaying the return of the irregular migrant.”[31] The new requirement is intended to overcome this barrier to removal, by making information on expulsion orders available to all relevant national authorities connected to the SIS.[32]

The previous SIS legislation already offered three reasons for which an alert on refusal of entry or stay could be recorded: criminal convictions; “serious grounds for believing that [a non-EU national had] committed a serious criminal offence” or had clear intentions to do so; or an individual being the subject of “a measure involving expulsion, refusal of entry or removal… [including or] accompanied by a prohibition on entry”.[33] The new rules add a further point, making it mandatory to enter an alert on refusal of entry or stay whenever an entry ban is issued in accordance with the Returns Directive.[34] Combined with potential changes to the Returns Directive that are also under discussion,[35] this is likely to significantly increase the number of alerts in the SIS on people to be barred from entering, or remaining within, the Schengen area. While the changes with regard to both return orders and entry bans are intended to overcome significant national differences in the conditions for entering alerts, the new mandatory requirements also bypass the need for an individual assessment of the necessity and proportionality of entering each alert into the system.

Figure 1: Entry bans in the Schengen Information System, 2013-18


Towards a ‘return-opticon’

The political decision to try to step up expulsions from the EU has led to the transformation of existing databases and the introduction of new ones. These changes have been presented by their proponents as logical, desirable, necessary and proportionate, but this is far from being the case. Even the European Data Protection Supervisor has claimed that interoperability cannot be challenged, as it represents the “natural development” of IT systems. While the development of all technologies is subject to trends and transformations, framing the significant changes made to EU policing and migration databases in evolutionary terms merely provides further cover for what are, at root, political choices.

Agreed and proposed changes to these systems will increase the risks of racial profiling and undermine the purpose limitation principle (the CIR and interoperability); are likely to fail without further massive, undesirable investment in coercive infrastructure and personnel (the EES); lack evidence to demonstrate their necessity (Eurodac); involve secondary purposes propelling the processing of new types of personal data (the VIS); and will massively increase the number of alerts on expulsion orders and refusal of entry or stay in the SIS, further entrenching the structure of ‘Fortress Europe’.

Along with well-worn terms used to describe the EU’s security architecture – ‘panopticon’, ‘banopticon’, ‘neoconopticon’ – these changes could be seen as contributing to the development of a ‘return-opticon’: ultimately, the intention is to ensure the biometric registration of all foreign citizens in the EU and their ‘visibility’ to the authorities so that, if necessary, they can be deported as swiftly as possible. The scholar Niovi Vavoula has argued that:

“…interoperability is much more than a buzz word and a panacea for security and migration concerns; it has become the ‘Trojan Horse’ towards the silent disappearance of the boundaries between law enforcement and immigration control and the radical intensification of surveillance of all mobile non-EU nationals.”[36]

In conjunction with the proposed changes to the Returns Directive discussed in the previous section, the transformation of these databases is supposed to lead to a massive increase in the number of people being deported from the EU – assuming that the authorities are able to cope with such an increase. In order to assist national authorities in these tasks, the EU is also taking on an increasingly operational role in the removal of ‘unwanted aliens’,[37] through a huge extension of the powers, funding and personnel available to its border agency, Frontex.


[1] European Commission, ‘A Renewed Action Plan’, COM(2017) 200 final, p.5,

[2] Eurodac, VIS, EES, ETIAS and ECRIS-TCN. The ETIAS (European Travel Information and Authorisation System) applies to be people who do not need visas and is essentially a European version of the United States’ ESTA. It is a profiling tool to examine whether individuals are a “security, migration or health” risk and will only contain biographic data. Legislation was approved in 2018 and the system is currently under construction. The ECRIS-TCN (European Criminal Records Information System for Third-Country Nationals) is a database holding identity data – biographic and biometric data, primarily fingerprints and potentially photographs – of non-EU citizens who have been convicted in one of the Member States. The database will be used to locate previous convictions, while data on the convictions will still be held at national level. Legislation was approved in early 2019 and the system is also currently under construction.

[3] The purpose limitation principle, as defined in Article 5(1)(b) of the General Data Protection Regulation, states that personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.

[4] See ‘Interoperability and undocumented migrants: fundamental rights and legal implications’ in ‘Data Protection, Immigration Enforcement and Fundamental Rights’, Statewatch/PICUM, November 2019, pp.31-38

[5] In autumn 2019, it was reported that the German interior ministry had “doubts that the project can be implemented by 2023 as originally planned,” due to “resource bottlenecks and overloading of the authorities involved,” as well as problems in recruiting specialist staff. The response from EU institutions has been to try to set up central coordination mechanisms. See ‘Implementation of Interoperability’ in the article ‘JHA Council, 7-8 October’, Statewatch News, 7 October 2019,

[6] A further purpose of the CIR is to facilitate law enforcement agencies’ access to data held in migration databases. The rules on ‘interoperability’ also establish a ‘Multiple-Identity Detector’ aimed at automated the process of detecting non-EU nationals suspected of using false identities through the bulk processing of biometric and biographic data.

[7] European Commission, Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL establishing an Entry/Exit System (EES), COM(2013) 095 final,

[8] The law was approved in 2017. See: Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES),

[9] Article 12, Regulation 2017/2226 establishing an Entry/Exit System.

[10] The next EU budget is likely to significantly increase the money available for new surveillance systems, detention centres and communications infrastructures operated by border and immigration agencies. From 2007-13, the External Borders Fund had a budget of €1.7 billion. It was replaced by the Internal Security Fund – Borders and Visa for the 2014-20 period, with a budget of €3.8 billion. For the 2021-27 period, the Commission’s proposal for an Integrated Border Management Fund put forth a budget of €9.3 billion. See: European Commission, ‘EU budget: Commission proposes major funding increase for stronger borders and migration’, 12 June 2018, On previous and ongoing expenditure, see section 2.3 of the report ‘Market forces: the development of the EU security-industrial complex’, Statewatch/TNI, August 2017, pp.19-23,

[11] It is foreseen that 16% of overstayers will be identified by the EES by 2026, up from 5% estimated for 2020, which it is estimated will bring significant financial and efficiency benefits. However, while the “saved cost of not having to increase immigration enforcement services to identity more overstayers” is estimated, no calculations are included for the extra workload that may be generated by knowing the identity of more overstayers and of enforcing the estimated 33% additional return decisions that will be generated by 2026. See: European Commission, Impact Assessment Report on the establishment of an EU Entry Exit System, SWD(2016) 115, The latter point regarding workload has also been remarked on elsewhere: Dr Julien Jeandesboz et. al., ‘Smart Borders Revisited: An assessment of the Commission´s revised Smart Borders proposal´, October 2016, p.30,

[12] Under the heading ‘Impact for Immigration Enforcement’ in Annex 11, the Commission’s impact assessment relies upon a “proportion of overstayers” of 0.1% (1 in every 1,000). This in itself calls into question the proportionality of introducing such a system, given that it is foreseen it will include anywhere up to 83.5 million people, of whom just 83,500 would be overstayers. It is not clear how the 0.1% squares with the suggested “number of overstayers – medium value” of 250,000, and whether this value is constant or cumulative. See: SWD(2016) 115, op. cit.

[13] Proposal for a Regulation of the European Parliament and of the Council establishing an Entry/Exit System (EES), COM(2016) 194 final, 6 April 2016,

[14] Regulation (EU) No 604/2013 of the European Parliament and of the Council of 26 June 2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person,

[15] ‘European Parliament's Civil Liberties Committee adopts proposal giving law enforcement authorities and Europol access to Eurodac’, Statewatch News, 19 December 2012,

[16] Article 9 and Article 14, Regulation (EU) No 603/2013 of the European Parliament and of the Council of 26 June 2013 on the establishment of 'Eurodac',

[17] European Commission, Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the establishment of 'Eurodac', COM(2016) 272 final,

[18] The proposal would also lower the age limit for data collection, for all three categories of person, from 14 to six years of age. New categories of data are also to be stored, including facial images. This, the Commission noted in the See: Proposal for a Regulation of the European Parliament and of the Council on the establishment of ‘Eurodac’, COM(2016) 272 final, 4 May 2016,

[19] Steve Peers, ‘The Orbanisation of EU asylum law: the latest EU asylum proposals’, EU Law Analysis, 6 May 2016,

[20] ‘La réforme d’EURODAC : Renforcement du contrôle des personnes plutôt qu’un système d’asile plus équitable’, AEDH, 30 November 2016,

[21] ‘ECRE Comments on the Commission Proposal to recast the Eurodac Regulation’, July 2016,

[22] See: ‘All visa applicants to be profiled and children fingerprinted for revamped Visa Information System’, Statewatch News, 17 August 2018,; ‘Visa Information System: Commission proposals sneak in mandatory biometrics for long-stay visas’, Statewatch News, 20 August 2018,; ‘Visa Information System: child fingerprinting and police access proposals criticised by data protection authorities’, Statewatch News, 21 August 2019,

[23] European Commission, Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulation (EC) No 767/2008, COM(2018) 302 final, 16 May 2018,

[24] ‘Visa Information System: child fingerprinting and police access proposals criticised by data protection authorities’, Statewatch News, 21 January 2019,

[25] Fundamental Rights Agency, ‘The revised Visa Information System and its fundamental rights implications’, 30 August 2018, p.50,

[26] European Commission, ‘Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EC) No 767/2008…’, COM(2018) 302 final, 16 May 2018,

[27] General Secretariat of the Council, ‘Mandate for negotiations with the European Parliament’, 15726/18, 19 December 2018,

[28] European Parliament legislative resolution of 13 March 2019,

[29] Two are relevant for the purposes of this discussion: Regulation (EU) 2018/1860 of the European Parliament and of the Council of 28 November 2018 on the use of the Schengen Information System for the return of illegally staying third-country nationals,; and Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks,

[30] eu-Lisa, ‘SIS II – 2018 Statistics’, February 2019,

[31] Proposal for a Regulation on the use of the Schengen Information System for the return of illegally staying third-country nationals, COM(2016) 881 final, 21 December 2016,

[32] Lack of awareness of other member states’ decisions is not the only reason for a lack of mutual recognition and enforcement. In a majority of member states, national legislation provides the possibility to recognise return decisions issued by another member state under certain conditions, but they do not necessarily do so. A 2017 study by the European Migration Network found that “in practice, several of these Member States indicated that they never or rarely enforced such a return decision. The main challenge invoked for mutual recognition is the difficulty in knowing whether a return decision has effectively been issued by another Member State and whether it is enforceable.” See: European Migration Network, ‘The effectiveness of return in EU Member States’, 15 February 2018, p3,

[33] Article 24, Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second generation Schengen Information System (SIS II),

[34] Article 24(1)(b), Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks,

[35] Currently, return decisions handed down in accordance with the Directive (member states retain the option to deport people based on national, rather than EU law) must be accompanied by an entry ban in cases where national authorities have not provided for a period of voluntary departure or an individual has not complied with “the obligation to return”. Proposed revisions to the Directive would introduce a number of new situations in which it would be obligatory to deny a period of voluntary departure, thus increasing the number of situations in which an entry ban must be issued. The changes would also make it possible to issue entry bans to non-EU nationals who have “been illegally staying in the territory of the Member States and whose illegal stay is detected in connection with border checks carried out at exit” – that is to say, when they are leaving the EU anyway.

[36] Niovi Vavoula, ‘Interoperability of European Centralised Databases: Another Nail in the Coffin of Third-Country Nationals’ Privacy?’, EU Immigration and Asylum Law and Policy, 8 July 2019,

[37] Taking wording from Article 96 of the original Schengen Convention, this was the phrase used until the more palatable ‘third-country nationals to be refused entry or stay’ was brought into use by legislative updates in the 2000s.


Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error