Eurodac: Biometrics, Facial Recognition, and the Fundamental Rights of Minors

Since its establishment in 2003, Eurodac (European Dactyloscopy System) has played a fundamental role in the digitisation of migration management and border security in the EU. The Eurodac database contains the fingerprints of all asylum applicants and migrants apprehended in connection with an irregular border crossing. Under proposed reforms to the Eurodac database, its scope is to be expanded to aid authorities in facilitating returns, tackling irregular migration and collecting individuals’ facial images with a view to future facial recognition technology.  The recently amended Eurodac proposal released in September 2020 as part of the New Pact on Migration and Asylum (analysed previously on this blog) also proposes to lower the age for biometric data collection from 14 to 6 years old.

This contribution notes the current role of Eurodac and highlights the proposed changes to the system as they relate to minors and their fundamental rights as enshrined in the Charter of Fundamental Rights of the European Union (Charter). The EU asylum acquis, particularly Directive 2011/95/EU (Qualification Directive), considers minors as being children before being migrants. Within this category, unaccompanied minors are understood as a non-EU national or stateless person below the age of 18 who arrive on the territory of EU States unaccompanied by an adult. The challenges raised by the proposed expansion of Eurodac are analysed in the context of its impacts on both unaccompanied and accompanied minors arriving in the EU. Whilst many of the challenges identified affect all minors, the focus is on those faced by minors below the age of 14, who are considered to be a particularly vulnerable group and targeted by the extension of the current Eurodac system.

The proposal to lower the age for biometric data collection of minors from 14 to 6 years old poses significant risks to their right to human dignity (Article 1 Charter), their right to the integrity of person (Article 3 Charter), the rights of the child (Article 24 Charter), and the right to respect for private life (Article 7 Charter).  These challenges are further complicated by efforts to introduce the interoperability of EU-wide databases, forming an increasingly complex and opaque ecosystem of biometric data processing, profiling and automated decision-making. Considering the inherent sensitivity of biometric data, as highlighted below, and the vulnerable position of minors crossing EU borders, this post also focuses on the right to protection of personal data (Article 8 Charter), especially as elaborated through the principles and rights enshrined in Regulation (EU) 2016/679 (GDPR).

Eurodac: Current and Future State of Play

Since its establishment in 2003, Eurodac has played a central role in assisting authorities to determine which Member State is responsible for assessing an asylum application under the Dublin Regulation. Under the current Regulation (EU) 603/2013 (Eurodac Regulation), Member States must collect the fingerprints of all asylum seekers (otherwise known as ‘Category 1 individuals’); migrants apprehended in connection with an irregular border crossing (‘Category 2’); and third-country nationals found to be irregularly staying on the territory of a Member State for the purposes of determining whether they have previously lodged an application for asylum (‘Category 3’). The personal data of all three categories is collected for individuals over the age of 14 and is currently retained for a 10-year period. The categorisation of migrants and asylum seekers in this way has been criticised for allowing individuals to become subject to arbitrary decisions by Member States’ border authorities.

The Eurodac database has also been identified as playing a central role in the emergence of digital borders, aimed at controlling both internal migration and at identifying and classifying individuals at EU external borders. The 2015 migration ‘crisis’ as well as terrorism events unfolding in the EU in 2015 and 2016 prompted calls to establish a genuine Security Union, supported by the expansion of EU-wide information systems. Gaps in the technological capabilities of these systems, as well as limited access to them by law enforcement authorities, led to proposals to expand their scope and functionalities.

It is within this context that the initial proposal to amend the Eurodac Regulation first emerged in 2016. Whilst an agreement was not reached at the time, renewed attention to migration and border management, as well as potential travel-associated health risks within the COVID-19 pandemic, resulted in the New Pact on Migration and Asylum. Within this Pact, an amended proposal for the Eurodac Regulation was also released, bringing with it a series of technical changes with the aim of putting in place a clear and consistent link between specific individuals and the procedures to which they are subject. It is worth noting that the Pact also included the proposal for the highly controversial Screening Regulation and a new Regulation on Asylum and Migration Management, both to be supported by a ‘transformed’ Eurodac.

Whilst the initial purpose of the Eurodac database was to support the functioning of the Dublin system only, the technical changes proposed to it will turn the database into a general migration and border management system. In addition to lowering the age for biometric data collection from 14 to 6, Eurodac will also include the data of third-county nationals following a search and rescue operation (Recital 4a), will be updated to allow for interoperability (Recital 5a), will link all data sets belonging to one person in one sequence (Recital 14), and will add a new field to mark whether the person in question poses a threat to internal security (Recital 4b). Crucially, Eurodac shall also be able to allow access to law enforcement purposes for the prevention, detection or investigation of terrorist offences or other serious criminal offences (Article 1(d)).

In considering the expected impacts of the changes to the Eurodac database, the amended proposal states that lowering the age for taking fingerprints to 6 years old is aimed at identifying minors for the purposes of contributing to family tracing and reunification (Section 1.4.3., amended Eurodac proposal). It is also aimed at strengthening the protection of unaccompanied minors who might not submit an application for asylum and who might abscond from care institutions or child social services to which their care has been assigned. In this way, registering their biometric data in the Eurodac database would contribute to ‘keeping track of them’ and potentially preventing them from ending up in situations of exploitation (Section 1.4.3., amended Eurodac proposal).

In addition, the proposal states that within three years of adoption, the European Union Agency for the Operational Management of Large-Scale IT Systems (eu-LISA) shall conduct a study on the technical feasibility of adding facial recognition software on the basis of facial image data stored in Eurodac. However, the proposal does not cite any data or evidence that justifies the need to collect minors’ facial images with a view to future facial recognition applications.

In relation to biometric data collection, the 2016 proposal to amend the Eurodac Regulation states that it shall be carried out in a child-friendly and child-sensitive manner by trained officials (Article 2(2)). The minor should be informed of the data collection in an age-appropriate manner and shall be accompanied by a responsible adult or representative at the time of collection (Article 2(2)). However, there are no additional guidelines or specific information with regard to how the criteria of ‘child-friendly’ and ‘child-sensitive’ shall be fulfilled, potentially leading to the fragmentation of standards at Member State level. It is regrettable that the later amended Eurodac proposal also does not clarify these points.

A brief overview of the main amendments suggested by the amended proposal indicates a significant expansion in scope, and the addition of facial images as a new category of biometric data. Having identified the key features of the amended proposal, further analysis is required with regards to the specific characteristics of biometric data.

Biometric Data: Vulnerability and Reliability

A biometric is a physical or biological feature or attribute that can be measured through a statistical process. In comparison to alphanumerical data, biometric data often provide a reliable means of establishing a person’s identity through the verification of their unique physical characteristics. Biometric data include not only fingerprint images, but also facial images, iris scans, voice recordings, and DNA samples. Biometry has been championed as a reliable tool to help border authorities determine an individual’s identity. At the same time, biometric data are recognised as sensitive personal data under the GDPR, meaning that appropriate legal bases, additional safeguards and impact assessments must be conducted before deciding to process biometrics for a specified purpose.

The proliferation of biometric data collection has already drawn much criticism, with privacy advocates in Europe calling for a ban on biometric mass surveillance brought about by ubiquitous, highly intrusive technologies. The untargeted processing of biometric data has been portrayed as an architecture of oppression, the consequences of which are likely to have a disproportionate impact on marginalised populations that are already subject to increased surveillance and policing. The collection of biometric data in this context has led to asylum seekers taking drastic measures to evade an increasingly opaque European asylum system.

It is worth noting that whilst the calls for a ban on biometric surveillance in Europe arises from the ‘untargeted’ processing of biometric data, third-country nationals including minors are subject to specific, organised and targeted systems of social sorting and surveillance, as is presented later in this post. It is within this context that we must consider the collection of sensitive biometric data of minors as young as 6 for a variety of purposes, including to determine whether they pose a security risk.

The vulnerability of minors is not only so by virtue of their age, but also due to their often-irregular migration status and the legal limbo they find themselves in. The collection of sensitive biometric data and the introduction of invasive technologies to track and monitor them further compound this vulnerability. Whilst the intentions of the amended Eurodac proposal include the need to identify children that are missing or may have been separated from their families, it is questionable whether the additional requirement to collect their facial images can be deemed necessary or proportionate in accordance with EU law.

Particularly as they relate to minors as young as 6, whose facial characteristics will change considerably in a short period of time, the deployment of facial recognition technology may not prove efficient. Recent research investigating current state-of-the-art facial recognition systems found a negative bias and considerable degradation in performance for algorithms deployed on children, compared to the performance obtained in adults. In a report of the Fundamental Rights Agency, entitled Under Watchful Eyes, experts also expressed concern about the reliability of a fingerprint match when a long period of time has passed since a child’s fingerprint was first taken. Migration lawyers, researchers and activists point to the ‘techno-solutionism’ embodied by the Eurodac proposal, in which migrant communities act as technological testing grounds and are increasingly subjected to invasive technologies, despite concerns surrounding their accuracy.

The issue of data reliability and quality is especially pertinent for the processing of biometric data in the context of Eurodac and other EU-wide, large-scale databases. Article 5 of the GDPR provides that personal data shall be processed lawfully, fairly and in a transparent manner, and that it must be collected for specified, explicit and legitimate purposes. Crucially, personal data must be relevant, and kept accurate and up to date. The fulfilment of these basic principles is paramount to ensuring minors’ fundamental right to personal data protection, but also to avoid significant, negative legal effects resulting from a breach of this right.

A Variety of Purposes and Interoperability

A complicating factor in the risks posed to the fundamental rights of minors arriving in the EU is that Eurodac forms but one piece of the ‘puzzle’. As explained, one of the priorities identified by the amended Eurodac proposal is to ensure the database is technically feasible for interoperability. Interoperability refers to the ability of IT systems and of the business processes they support to exchange data and to enable the sharing of information and knowledge. Regulation (EU) 2019/818 (Interoperability Regulation) establishes interoperability between the Schengen Information System (SIS), the Visa Information System (VIS), the Entry/Exit System (EES), the European Travel Information and Authorisation System (ETIAS), the Eurodac, and the European Criminal Records Information System (ECRIS) that will also include the data of third-country nationals (ECRIS-TCN).

This intricate tapestry of EU-wide databases and their ability to ‘talk’ to each other have caught the attention of the European Data Protection Supervisor (EDPS), which has called for an in-depth fundamental rights and data protection impact assessment to mitigate the risks posed to the fundamental rights of data subjects. Indeed, the interoperability of databases which serve different functions makes it increasingly complex to explain to minors the purposes for which their biometric data are collected and the reasons why.

Further, interoperability blurs the line between a variety of purposes for which databases are developed and deployed. By addressing asylum, migration, crime and security as one, there are risks that migrants and migration are treated as a priori threats. Determining whether migrants pose a risk to security by means of large-scale automated processing on the basis EU-wide databases containing biometric and other personal data inevitably requires a clarification of processing purpose(s). This would not only be in line with purpose limitation and specification requirements of the GDPR, but it would also help fulfil the requirement to provide migrants with adequate, meaningful information in the context of an automated decision. This is particularly relevant in light of the possible inaccuracies of children’s biometric data as identified above.

The Right to Information and the ‘Right to an Explanation’?  

Under EU data protection law, data subjects have the right to know and understand the data collected from them and the purposes for which such processing is necessary. The right to information is also a precondition for a child to exercise their right to be heard in judicial and administrative proceedings, a fundamental right which is enshrined in Article 24(2) of the Charter. Under Article 12 of the GDPR, information must be provided in clear and simple language, an obligation which becomes increasingly complicated considering the young age of the data subject in this context.

By looking at existing practice as to how the biometric data of minors is collected under the current Eurodac system, research conducted by the Fundamental Rights Agency shows that minors are not always informed when their fingerprints are taken. Due to this lack of specific and unified guidelines at the EU level, practices across EU Member States vary greatly. Whilst some States have specialised units responsible for providing minors with adequate information using different visual aids, others have no procedures for ensuring the right to information. Guidance is therefore urgently needed, as well as a clear plan for how specialised officers shall be trained.

Intricately tied to the right to information is the furiously debated existence of the ‘right to an explanation’ proposed by the GDPR. Although this right is not explicitly mentioned by the GDPR, Articles 13-15 of the Regulation nevertheless provide for the right to meaningful information about the logic involved in automated decisions. For minors, the existence of automated decision-making can indeed produce significant legal effects. Being the subject of a wrongful ‘match’ and possibly being returned to an un-safe country of origin, or having an application for asylum wrongfully denied, poses specific risks to minors’ fundamental rights.

The ‘right to explanation’ therefore seems particularly relevant in this context – however, having identified some of the existing challenges in providing clear and understandable information to minors with regards to the processing of their biometric data, how could such a right to explanation be fulfilled in practice? Contrary to fingerprints, which have been collected from asylum seekers under Eurodac since 2003, we are still discovering the impacts of deploying facial recognition technology to identify third-country nationals, including minors. Perhaps in this context, there is weight to the argument that minors as young as 6 should not be made subject to these systems in the first place.

Concluding Thoughts: What Does the Future Hold for Minors in the EU?  

Although the amended Eurodac proposal has not yet been adopted, the European Commission expects co-legislators to  adopt the legislation swiftly, which will be followed by the implementation of the Interoperability Regulation in 2022. Of course, the full extent of the implications of EU-wide biometric databases and their interoperability cannot be fully known until they are entirely operational. However, several fundamental rights risks have already been identified, particularly as they relate to the fundamental right to personal data protection and the protection of the rights of the child.

Whilst these impacts are of a largely legal nature, it cannot be denied that the collection of minors’ biometric data may hold socio-economic and psychological implications. The potential of a false ‘match’ not only affects their legal position, but also the health and wellbeing of the minor, their ability to access education, adequate housing, and integrate in the local community. Furthermore, the proposal to collect minors’ facial images with a view to future facial recognition technologies may create a feeling of being constantly watched. Such surveillance occurs within inherent power imbalances, where the powerful surveil the powerless to decide whether they are to be subject to more intrusive attention. More research is required on the impacts of continued surveillance and heightened forms of policing on minors and their development.

In a similar vein, the collection of biometric data forms a central component of surveillance as social sorting, which points to methods of verifying identities, assessing their risks and worth, and of creating long-term social differences on those bases. Whilst David Lyon’s analysis was published in 2002, it is still just as relevant today as we see the further proliferation of biometric databases as part of the New Pact on Migration and Asylum. The proposed expansion to the Eurodac system may therefore have long-term impacts not only on vulnerable minors, but for migrant communities more broadly.

Finally, it is likely that the COVID-19 pandemic may exacerbate calls towards more closely scrutinising and surveilling third-country nationals arriving in the EU, the effects of which could be devastating for minors in particular. Therefore, prior to increasing the expansion of complex biometric systems for decision-making, key questions with regards to accountability, access to justice, explainability and fundamental rights first have to be addressed by proposals to expand their scope.