Statewatch is seeking information on secrecy and security exceptions in asylum and immigration cases


Individuals involved in immigration and asylum proceedings can face multiple barriers to a fair hearing: an unfamiliar or unknown language, a lack of legal aid, and limited support networks. There is also the possibility that secret evidence will be used to refuse their applications or deny them entry to the territory. To gather further evidence on the extent of this problem, and the possibilities that data protection law offers as a remedy, Statewatch has launched a questionnaire to gather evidence from affected individuals, lawyers and support groups.

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

This article and the questionnaire are also available in: Deutsch / Ελληνικά / Español / Français / Hrvatski / Italiano / Magyar / Polski

You can find the questionnaire here.

Data transfers

A Ukrainian activist living in Poland receives a Schengen entry ban. A British journalist is detained in Greece and banned from the Schengen area for 10 years. A Saharawi activist who lived in Italy with a residence permit as a child is refused a visa. An asylum-seeker is flagged as a security threat in an international database, and the authorities in Cyprus – where they are seeking protection – accept the assessment.

In each of these cases, the individuals affected were told that the information leading to their detention and exclusion was secret, leaving them no meaningful way to challenge the decisions. As Gruša Matevžič of the Hungarian Helsinki Committee puts it, courts “too often simply take the assessment of the security agencies that someone represents a threat to national security for granted, and do not question it.”

How many other similar cases are there? And could data protection law offer a way to fight secrecy in such cases? A Statewatch project aims to answer these questions, and a questionnaire launched today seeks input from affected individuals, lawyers, support groups and others.

Abolishing borders for information exchange

A common trend of EU policies over the last 20 years has been the development of databases and information systems that store information on migrants and asylum-seekers, so it can be accessed by law enforcement authorities and border guards.

There is also a growing appetite for the exchange of such information not just between EU authorities, but between EU authorities and their counterparts in third states – Europol’s powers to exchange information beyond the EU have been ramped up, a plan on “security-related information sharing” is in the works, and questions have been raised over the transmission of data from states in the Balkans through Frontex.

Data protection: rights on paper but what remedies in practice?

One of the basic principles of data protection law is individuals’ right to access personal data held about them, which includes the right to rectify or delete any incorrect or unlawfully collected information.

The Court of Justice of the EU (CJEU) has defined personal data as “information relating to an identified or identifiable natural person,” and has confirmed that the right of access “is not restricted to information that is sensitive or private, but potentially encompasses all kinds of information, not only objective, but also subjective, in the form of opinions and assessments.”

This broad definition is essential in the context of national security cases, where the assessment of the risk an individual poses can be based not just on concrete facts, but on the views and opinions of state officials.

Under new EU laws, any asylum-seeker identified as a risk for national security will face an accelerated decision-making procedure, undermining existing procedural rights, and also likely to involve detention and deportation. The ability to effectively contest such assessments may well become more important in years to come.

The CJEU has also issued rulings on the right to an effective remedy for individuals whose data has been shared across borders.

When the Netherlands turned down Schengen visa applications based on information received from other states, judges ruled that the state refusing the application should inform the applicant, at a minimum, of the specific grounds on which the refusal is based and the state(s) that objected to the application, to enable an effective challenge to that assessment.

There may also be a need for the authorities and judges to assess the actual effectiveness of any remedies available to them in another EU state or the risk of mistreatment and human rights violations and – when information has been shared by a non-EU state – whether the country in question has equivalent data protection standards to those set out in EU law.

EU jurisprudence on access to evidence in national security cases has been in place for more than a decade, and makes clear that the right to an effective remedy of a person can only be limited to the extent that is strictly necessary, and that the applicant must be informed – at a minimum – of the essence of the grounds on which the decision is founded.

The Luxembourg court has also made clear that national courts have a duty to make a thorough individual assessment of each case – for example, an individual can only be detained when their behaviour represents “a genuine, present and sufficiently serious threat affecting a fundamental interest of society or the internal or external security of the Member State concerned.”

Access to personal data

At the same time, the right of data subjects to request access to their information appears little-used. A 2014 report on the Schengen Information System II – the database in which Schengen entry bans are stored, along with a whole host of other data – found there were a “small number of requests made by data subjects in the exercise of their rights compared to the number of entries.”

The same report found that most countries did not provide reasons for refusing access to data – a practice that will have to change following a CJEU judgement from last year, in which the court ruled that the authorities cannot rely on a blanket refusal of access.

Furthermore, an individual must also be able to appeal to a judicial authority that can make a “review both of the existence and of the merits of the reasons which warranted the limitation on that information and of the correct execution, by the supervisory authority, of its task of verifying the lawfulness of the processing.”

Statewatch is seeking your help to gather information

Statewatch has published a questionnaire to gather more information on cases in which individuals have been denied access to information labelling them a security threat, and have been unable to access an effective remedy.

The results will be used to inform further research on how data protection law might best be used to ensure the right to an effective remedy, in order to produce information and educational materials intended to assist lawyers, support workers and affected individuals.

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.


Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error