The march towards the interoperability of databases in the European Union challenges a number of fundamental rights including non-discrimination, effective judicial protection, privacy and data protection, including the principle of purpose limitation. This contribution argues that these challenges can essentially be viewed as rule of law challenges.
NB: This post has been prepared for the Project “Un-Owned Personal Data: Interoperable EU Borders and Transitioning Rights” and initially published here as part of the Blog Forum of this project. It is reposted in full below.
A broad definition of rule of law will be adopted in this context. It includes both rule of law ex ante, which relates to principles which are applicable in the law-making process (including legality, transparency and democracy); and rule of law ex post, which includes principles which are applicable after the enactment of legislation (including legal certainty, prohibition of arbitrariness and effective judicial protection including the protection of human rights).
This contribution focuses on three key underlying features of the interoperability evolution: First, the blurred boundaries of purpose limitation via the emergence of an (in)security continuum; second, the framing of interoperability as a depoliticised and de-legalised technical issue; and third, the significant gaps in individual protection arising from the complexity and opacity of the emerging interoperability system.
Interoperability follows the move towards enhancing operational co-operation on the basis of the maximisation of the collection, exchange and access to personal data included in the proliferating number of EU databases, and related attempts to enhance the maximum inter-connection of these databases. This move reflects what Bigo has called the (in)security continuum, whereby the securitisation of crime and terrorism is being transferred to migration and mobility. Such (in)security continuum – justifying allowing access by law enforcement authorities to immigration databases for ‘security’ purposes- is not new: it was already highlighted in European Council responses after the Madrid attacks, including in the Hague Programme.
The 2005 Hague Programme placed emphasis on the interoperability of databases, including in the context of migration management. It called on the Council to examine ‘how to maximise the effectiveness and interoperability of EU information systems’ and invited the Commission to present a Communication on the interoperability between the Schengen Information System, the Visa Information System (VIS), and Eurodac.
The Commission presented its Communication a year later, in November 2005. The purpose of the Communication was to highlight how, beyond their present purposes, databases ‘can more effectively support the policies linked to the free movement of persons and serve the objective of combating terrorism and serious crime’. On the basis of this approach, the Commission argued strongly in favour of access of authorities responsible for internal security to immigration databases such as SIS, VIS and Eurodac.
It has taken more than a decade for the (in)security continuum and interoperability agenda of the Commission and the Council to be fully reflected in legislation. Proposals to extend access of EU immigration databases such as the VIS and Eurodac to law enforcement authorities have been controversial as they overlook the purpose limitation principle but have eventually been adopted.
Further immigration databases, including an Entry-Exit System (EES) and a Travel Authorisation System (ETIAS) have recently been adopted. In addition to the production and access to data in EU immigration databases for security purposes, parallel developments in EU law, via the conclusion of a number of Agreements with third states and the adoption of an internal EU Directive, have led to the generation of data from the surveillance of mobility of air travellers via the Passenger Name Record (PNR) transfer system. More recently, the blurring of boundaries between immigration and security has also occurred via a reversal of the (in)security continuum paradigm: via the addition of an immigration component to criminal law measures, as seen by the extension of the European Criminal Law Information System (ECRIS) to include data on third-country nationals (ECRIS-TCN).
Blurring boundaries in this manner results in an all-encompassing, yet at the same time amorphous concept of security, which is constantly prioritised but may serve to undermine key distinctions and limits to the reach of the state in the lives of individuals. Interoperability serves to take this ‘catch-all’ concept of security a step further, and in this process the principle of purpose limitation is the first victim.
Vigilance is required in this context as the move from an (in)security continuum involving migration flows is likely to morph via the extension of interoperability (via the future inclusion for instance of PNR data) to a continuum transferring securitisation also to generalised citizen mobility. In this manner, we are witnessing a clear shift from immigration control to border security to a generalised security control system.
A constant feature behind the pro-interoperability discourse has been the framing of interoperability as a merely technical issue. In its 2005 Communication, the Commission presented interoperability is a technical rather than a legal/political concept, in a clear attempt to de-politicise the issue and to shield it from legal and democratic scrutiny- notwithstanding its considerable potential consequences for the protection of fundamental rights.
In the revival of the interoperability agenda in the recent past, the shaping of this agenda- prior to the dossier reaching the legislative phase at EU institutions- has been advanced by a single-agenda, ad hoc group- the High Level Expert Group on Information Systems and Interoperability being established, which reported in May 2017. This technocratic framing of the issue is at odds with the significant fundamental rights consequences that maximum information access and exchange backed up by interoperability entails.
Unsurprisingly, ex post, the technical has also prevailed in the design of the management of the EU interoperability framework, with supervision entrusted in ‘technical’ agencies. A key example of the supervision of a ‘technical’ interoperability system by a ‘technical’ agency is eu-LISA: an EU agency established to ‘run’ the proliferating EU databases, and to advance interoperability.
More specifically, the interoperability Regulations envisage a central role for eu-LISA in developing key elements of interoperability including the European search portal, creating profiles within the system and establish an interface control document; developing shared biometric matching service and ensure its technical management; and developing the common identity repository and an interface control document.
Eu-LISA will host the various interoperability components and ensure that their central infrastructures are operated in accordance with the Regulations. The establishment of a technical, single-agenda agency in this context poses further challenges to the rule of law requirements of transparency and accountability in the access and processing of personal data in the European Union and may serve to mask the fundamental rights consequences of interoperable data sharing and processing from meaningful legal scrutiny.
The rule of law challenges of lack of transparency and accountability on the one hand and lack of an effective remedy on the other are exacerbated by the combination of opacity and data maximisation that interoperability seeks to offer. The interoperability Regulations have introduced a multi-layered system of elements aiming to ensure maximum access to and exchange of personal data located in a number of EU databases set up for different purposes.
Various technical components are layered one after the other, and, as the EDPS has noted, the measures add another layer of complexity to the existing systems, as well as those that are still in the pipeline- with Interoperability implemented this way leads to more complexity rather than simplification, both in terms of data protection and in terms of governance and supervision.
It is important to re-iterate here that interoperability is not a mere technical addition to the existing legal framework on EU databases, but rather it constitutes a distinct legal development with renewed fundamental rights implications regarding the use and processing of data. As the EDPS has eloquently noted, interoperability ‘would not only permanently and profoundly affect their structure and their way of operating, but would also change the way legal principles have been interpreted in this area so far and would as such mark a ‘point of no return’.
This qualitative change generates significant rule of law challenges, as the affected individuals are left to navigate a labyrinthine landscape marked by considerable legal uncertainty, both as regards identifying instances of processing of their personal data and in terms of being provided with an effective remedy against interoperable administration.