19 June 2020
Since May 2018, EU institutions have been discussing changes to the Visa Information System (VIS), a large-scale database that holds data on tens of millions of applicants for short-stay Schengen visas. The proposed changes would introduce a number of new features, including a direct role for Europol in decision-making, if the Commission and Council get their way. This would be a significant extension of the agency's powers. There are further concerns about the agency becoming a "black box" for data from third countries that might be used against travellers to the EU.
Upgrading the VIS
The VIS currently stores data on all applicants for Schengen short-stay visas and at the last count in September 2017 held data from 49 million visa applications, alongside 42 million sets of fingerprints. A recent upgrade expanded the database so that it can hold a total of up to 100 million visa applications. 
The legal proposal under discussion would introduce 'interoperability' into the processing of visa applications through new automated checks against national, EU and Interpol databases, along with a new profiling system and the extension of the fingerprinting requirement to children as young as six. As things stand, children aged 12 and over are fingerprinted. Long-stay visas, currently a national competence, would also be subject to these checks, biometrics would become mandatory and certain data would be stored in the VIS.
A role for Europol
Under the new regime, data from visa applications will be checked against a host of different national, EU and international databases. This will include checks against 'Europol data' for the purpose of "identifying connections or other relevant links between information" on two categories of person: those suspected of having committed or taken part in a criminal offence, or who have been convicted of a criminal offence; and those about which "there are factual indications or reasonable grounds to believe that they will commit criminal offences in respect of which Europol is competent."
What exactly will happen in the case of a 'hit' - that is, when data from a visa application matches data in Europol's systems - is currently open to dispute. The Commission's proposal was rather vague - in the case of a 'hit', the visa authorities of the member state processing the application should "consult the Europol national unit for follow-up"  in accordance with the 2016 Europol Regulation. 
The European Parliament's negotiating position, which has been steered by European People's Party MEP Paulo Rangel, proposes setting up a new "single national point of contact" for dealing with hits from visa applications against databases. This would gather "liaison officers of SIRENE Bureau, Interpol National Central Bureaux, Europol national central point, ETIAS National Unit and all relevant national law enforcement authorities," who would have to be available 24/7 and "ensure the relevant manual verifications and assessment of hits." 
In the case of a hit against Europol's data, the point of contact would have to get in touch with Europol and "then assess the hit." The single point of contact would be responsible for providing a reasoned opinion to the visa authorities.
The Council, meanwhile, wants a more direct role for the policing agency. In the Council's view, where data from a visa application matches data held by Europol, an "automated notification" should be sent to Europol so that it could "verify the hit by comparing it with its own data." Upon confirmation of a match, "Europol should provide a reasoned opinion to the Europol national unit and to the competent visa authority of the responsible member state," and that opinion would then be stored in the visa application file. 
A vague text
Both the Parliament and Council want someone to provide a reasoned opinion, although neither text specifies exactly what it should deal with - the data that triggered the hit, the individual in question, or the visa application as a whole? The Parliament's text says the single point of contact should provide a reasoned opinion "in view of the decision on the application to be taken," which remains unclear, while the Council's text is silent on the issue.
The Council's press office told Statewatch that "Europol should provide an opinion on the correspondence of the data not on the whole application file." However, the Council's text suggests something more than this: "once the hit is confirmed" - that is, once it is confirmed that the sets of data correspond - "Europol should provide a reasoned opinion".
David Fernandez Rojo, an expert on EU justice and home affairs agencies based at the University of Deusto in Spain, told Statewatch that the vague provisions in the Council's negotiating position are a common feature of legislation governing EU agencies, as it allows the member states to retain some leeway in interpreting measures that touch on core issues of state sovereignty.
A risk of "rubber-stamping"
He also underlined that, while it is clear that ultimate responsibility for making decisions on visa applications will formally remain with the national authorities, Europol's "reasoned opinions" may end up having significant influence, as has happened elsewhere with the work of an EU agency.
In the hotspots in Greece, the European Asylum Support Agency (EASO) was deployed with a mandate to assist the Greek authorities in processing asylum applications. In practice, decisions were "rubber-stamped by the Greek authorities but in practice the decision was by EASO," Fernandez Rojo said.
The European Ombudsman, despite acknowledging "genuine concerns about the extent of the involvement of EASO personnel in assessing asylum applications in the Greek hotspots," declined to launch an in-depth inquiry into the issue. 
An extension of powers
If the Council has its way, granting Europol a more direct role in the visa application decision-making process would represent a significant extension of the agency's powers.
Europol's mandate is set out in the Lisbon Treaty, which says that its role is to "support and strengthen action by the Member States' police authorities and other law enforcement services and their mutual cooperation in preventing and combating serious crime affecting two or more Member States, terrorism and forms of crime which affect a common interest covered by a Union policy."
Statewatch asked the Council whether having a role in visa decision-making was compatible with this mandate. The press office suggested first that: "This is a question in which you should turn to the co-legislator (European Parliament)," although why so is unclear, given that the questions concerned the Council's negotiating mandate. The press office added that: "the security checks to be carried out when a visa application is lodged seem to be compatible with the mandate of Europol."
Paulo Rangel, the EPP's rapporteur for the revised VIS rules, did not respond to a request for comment. Clare Daly, an MEP for the European United Left (GUE) group and a member of the Parliament's civil liberties committee, said she would insist on maintaining the Parliament's position.
The EP's stance is "more logical" than that of the Council, said Daly, as "it does not 'empower' and give an excessive role to an Agency which should not be directly involved in the decision making of a Member State on whether to grant a visa to a third country national."
Expanding police powers
However, she also warned that any role for Europol in the visa issuance process has to be seen as part of broader trend towards giving more power to an agency she described as a "black box" for personal data. Another novelty of the proposed new visa procedure is the establishment of a 'watchlist', into which Europol will be able to insert personal data of wanted or suspicious individuals.
That information will not only come from EU member states, but from Europol's cooperation with non-EU states, "making it in practise close to impossible to check, verify and scrutinise this data," warned Daly. In the case of a 'hit' against data of which Europol was the 'owner', they "will not be revealing all of their data nor their sources to the member state and there we will have a 'super-national' authority getting involved in the process."
On paper, the legislation will contain all the EU's standard data protection rules to allow individuals to exercise their rights - but will this mean anything in practice?
Secret discussions for wide-ranging new rules
Remaining discussions on the new VIS rules will take place in secret 'trilogues', where the Parliament, Council and Commission meet together to work out compromises.
Discussions on the role of Europol have not yet started. Statewatch asked the Council's press office when it was expected that trilogues would be completed. They said: "It almost impossible to predict a timeline under the current circumstances."
Secrecy is perhaps not the only reason why the new rules have garnered such little public attention - they are also technically complex and buried in a sea of proposed amendments. Even the Commission, which drafted the proposal, seems to have become rather confused - in November 2019, six months after the proposal was published, it wrote to government delegations in the Council to highlight "the fact that certain provisions might be missing from the VIS proposal and thus from the Council and EP positions as well." Worryingly, those provisions covered key data protection safeguards relating to automated checks against other databases and the keeping of logs for inspection purposes. 
Europol's possible participation in the visa decision-making process is not the only issue still at stake: the scope and safeguards surrounding the new watchlist, the inclusion in the VIS of an automated profiling tool, the fingerprinting of children, the extension of the scope of EU rules to cover long-stay visas and the storage of additional information on all visa applicants have proven highly controversial with data protection experts and others.
Statewatch will next month be publishing a report on how the visa process is being transformed by 'interoperable' databases and new technologies, which will explore these issues in more detail. Sign up to our mailing list to receive more information and regular updates from us.
 eu-Lisa, 'Technical reports on the functioning of VIS', May 2018, p.9
 Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulation (EC) No 767/2008, Regulation (EC) No 810/2009, Regulation (EU) 2017/2226, Regulation (EU) 2016/399, Regulation XX/2018 [Interoperability Regulation], and Decision 2004/512/EC and repealing Council Decision 2008/633/JHA
 Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol)
 Article 9ca, European Parliament legislative resolution of 13 March 2019
 Article 9ca, Council of the EU, Mandate for negotiations with the European Parliament (Final consolidated version)
 European Ombudsman, Decision in case 735/2017/MDC on the European Asylum Support Office’s’ (EASO) involvement in the decision-making process concerning admissibility of applications for international protection submitted in the Greek Hotspots, in particular shortcomings in admissibility interviews, 13 July 2017; ECCHR, EASO's involvement in the Greek Hotspots exceeds the agency's competence and disregards fundamental rights, April 2019
 Council of the EU, Complementing the VIS amendment with additional technical provisions, 14393/19, 21 November 2019
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: c/o MDR, 88 Fleet Street, London EC4Y 1DH, UK. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.