EU’s ‘Smart Borders 2.0’ increases risks of surveillance and privacy abuses

Earlier this year the EU Commission introduced the “Smart Borders” package, a programme of the EU Agenda on Migration that poses a serious risk for the fundamental rights to privacy and data protection of everyone travelling to and from Europe.

The Commission first proposed the Smart Borders package in February 2013. At the time, the European Parliament and the EU member states dismissed the proposal due to its technical complexity, cost, and negative civil liberties implications. The Commission then conducted a consultation to collect views and opinions from travellers, EU citizens, non-governmental organisations, and public authorities, to help prepare the revised proposal introduced earlier this year. Unfortunately, Smart Borders 2.0 does not address the flaws of its predecessor and adds new privacy concerns.

Biometrics and data retention

As part of the Smart Borders package, the EU seeks to extend biometric ID checks — currently reserved for travellers from countries requiring visas — to all non-EU nationals entering or leaving the EU. Biometric ID checks would involve collecting four fingerprints and a facial image which would be retained in a centralised system, together with a plethora of other personal information, for five years. This excessive and unjustified retention mandate contradicts the jurisprudence of the EU Court of Justice. In April 2014 the court ruled that blanket retention of data is no longer authorised in the EU.

The alleged objective of this system is to help the authorities identify travellers who have stayed longer than permitted in the EU, so-called overstayers. However, having a single, centralised database opens up significant risks for the fundamental rights to privacy and data protection, due to the amount of data stored, the risk of unauthorised access to the data, and the lack of robust data protection safeguards in the proposal. Once in place, this system could enable profiling and increase risk of surveillance of travellers on a massive scale.

Law enforcement access to data

The big novelty of Smart Borders 2.0 is that it authorises law enforcement to access and use the retained data for the purpose of preventing, detecting, or investigating terrorist offences or other serious criminal offences. Not only have legislators failed to demonstrate the necessity and proportionality of this proposal, but history shows that local authorities have often abused their powers to look into people’s data for no valid reason. The proposal thereby multiplies the risks for privacy, data protection, data misuse, data abuse, and surveillance. The Commission does try to require EU states to put measures in place to limit access to data. In practice, however, member states can still decide who has access to the data and under which conditions. It is not clear how abuse can be prevented and what avenues for remedy are available for users.

Where are we in the discussion about this proposal?

The Civil Liberties Committee of the European Parliament (LIBE) and the EU member states are currently reviewing the package. Access Now has made the following recommendations to significantly amend the proposal to restore robust protection for fundamental rights and bring the proposal in line with EU law:

    • All articles and recitals related to the new and unjustified law enforcement purpose should be removed, as the measures are neither necessary nor proportionate, and the proposal creates significant risks for privacy and data protection.
    • The collection of biometric data should be limited, and rules on storage should promote tools for privacy by design, such as data shredding or encrypted storage, rather than merging and establishing a single massive database of sensitive information.
    • Travellers should have access to legal assistance and translation services.
    • Furthermore, we invite the Civil Liberties Committee of the EU Parliament to organise hearings and seek legal advice on the risks this proposal creates in relation to intelligence authorities and surveillance by private parties, in order to develop robust safeguards.
    • Contracts for building the Entry/Exit System (EES) should be conferred only to companies providing systems that guarantee high standards for security, as assessed by independent parties, and which promote resilience to surveillance.
    • Lastly, adoption of the proposal must be contingent upon the presentation of evidence from the Commission on the necessity and proportionality of the proposed measures and an assessment of the existing EU information systems.

What’s next?

As the legislators are reviewing and amending the Smart Borders package, one thing is clear: the proposal creates significant risks for the rights to privacy and data protection. At the same time, the added value of the proposal for efficient border management appears to be limited, particularly given the costs of modernising equipment that local governments and regions and airports would have to face to install e-gates and others elements necessary for the Smart Borders machinery to function.

In short, the proposal does not fit the criteria set by the Commission for better regulation as it does not appear to be fit-for-purpose and undermines recognised rights. We recommend that the EU first conduct a comprehensive assessment of all its border management systems, and how they interact, before creating yet another expensive and potentially harmful system.