The latest personal data grab: is the EU a global leader in personal data protection?
The EU’s claim to data protection leadership has been badly let down by ETIAS – an unnecessary and disproportionate personal data grab.
The development of the European Travel Information and Authorisation System (ETIAS), which is the EU counterpart to the US ESTA and the Australian ETA, is moving forward and it is now planned to install the system by 2022. Anyone coming from a country whose nationals are not subject to mandatory visa requirements or is not an EU resident will have to apply online for travel authorisation before travelling to the Schengen area and get pre-vetted on the basis of background checks against information systems, screening rules and a dedicated watchlist.
The authorisation will apply only to tourism, namely visits of 90 days out of every 180 days, and will be valid for three years. The system is promised to be speedy – in the majority of cases a decision will be issued within minutes – and cheap (Euros 7 as opposed to Euros 80 for a Schengen visa).
The system will be set up pursuant to Regulation 2018/1240 and will encompass extensive interoperability with other EU information systems (Schengen Information System – SIS -, Visa Information System – VIS –, Eurodac, Entry/Exit System, Europol and certain Interpol databases).
Here, we scrutinise the categories of personal data that will be collected from ETIAS applicants. We argue that ETIAS entails the processing of a wide array of personal data, in certain cases beyond what is required for the processing of an application for a Schengen visa in accordance with the Visa Code, or what is currently required by visa-free travellers on entry into the Schengen area under Regulation 2016/399.
The EU prides itself on being a global leader in personal data protection by having elaborated a comprehensive data protection legal framework and using it as a benchmark for measuring the adequacy of the privacy rules prescribed in third countries. Furthermore, EU Member States are currently ratifying the Council of Europe’s new Convention 108+ which places strict limits of automated processing of personal data.
We challenge the EU claim to excellence and question the compatibility of ETIAS with the Charter (Articles 7 and 8) and Convention 108+ with respect to the categories of personal data processed.
Which categories of personal data will be collected and stored?
Article 17(2) of the ETIAS Regulation sets out what personal data ETIAS applicants must disclose when applying for travel authorisation. The requirements can be divided into two groups: (1) those categories of data which are not controversial as regards their necessity and proportionality in relation to the purpose for which the data is provided – after all, an ETIAS authorisation will function as a ‘light visa’; and (2) those categories which may be questionable or outright excessive with regard to the necessity and proportionality of their collection.
In the first group we accept that it is proportionate that the following information is collected: the applicants’ names (current and at birth), country of birth, sex and current nationality. Also proportionate is the requirement to provide some information about the applicants’ travel documents (place, issue and expiry etc). It may even be accepted that information on contact details is proportionate.
In the second group, personal data required but not obviously in compliance with the requirements of necessity and proportionality thus meriting further assessment, are the following: first names of the applicants’ parents; other names such as artistic names; the applicants’ home addresses or city and country of residence. Even more problematic in this category are the requirements that applicants provide personal data on education (primary, secondary, higher or none), current occupation by job group (the groups will be decided by the Commission through a delegated act) and where someone (or an organisation) has assisted an applicant with the application process their individual names, the organisation’s name, email address, mailing address, phone number and relationship with the applicant.
Perhaps the most dubious requirements concern the questions whereby the applicants must provide information about convictions of criminal offences over the previous ten years, in respect of convictions of terrorism offences, 20 years, the date of the conviction and the country where it was made. Further, applicants must provide information on whether they have ‘stayed’ (no indication of the length of that stay) in a specific war or conflict zone (for the moment undefined) over the previous 10 years. The reason for the stay must be included. Additionally, applicants must provide information on whether they have ever been subject to a decision requiring them to leave a country (whether EU or any EU-designated non-mandatory visa country). Finally, the ETIAS information system will collect the IP address from which the application form was submitted.
Why are Group Two requirements problematic ?
In a series of judgments, the Luxembourg and Strasbourg Courts have made clear that the categories of personal data collected must be clearly defined (Opinion 1/15 and Rotaru v. Romania respectively). Furthermore, data minimisation is a key principle of EU data protection law, envisaged in Articles 5(1)(c) of the General Data Protection Regulation (GDPR) and 4(1)(c) of the Law Enforcement Directive (Directive 2016/680), requiring that personal data must be ‘adequate, relevant and not excessive in relation to the purposes for which they are processed’. In addition, Article 5(4)(c) of the Convention 108+ foresees the principle of data minimisation, the definition of which replicates the one in the EU data protection legislation, as mentioned above.
Are these prescriptions respected in the ETIAS Regulation? This section provides some reflections regarding the proportionality of certain categories of personal data collected.
Starting with personal data that are not special in nature, as regards the names of the applicants’ parents, there is no apparent reason why this information is relevant. Even if this information could be used to distinguish applicants who have the same name, ETIAS will collect other personal data (such as the date of birth or travel document details) that may equally prevent confusion as to the identity of the applicants.
Besides, Article 9(4) of the VIS Regulation (Regulation (EC) 767/2008) that lays down the categories of personal data collected by Schengen visa applicants does not prescribe the collection of details on the parents of the applicant.
Further, collecting and storing information on the education of the ETIAS applicant is excessive for a number of reasons; a) it is also not foreseen in connection to visa nationals; b) it is not even foreseen in the requirements for issuing an US ESTA authorisation; c) it may lead to discriminatory treatment, whereby applicants of lower education may have less chances of passing pre-vetting under the assumption that they may present higher irregular immigration risk.
The elaboration of the screening rules will be crucial as to the impact of education in the prospects of ETIAS applicants to be granted an authorisation. Moreover, as the European Data Protection Supervisor (EDPS) has noted in relation to the collection and storage of the IP address of the applicant, it is difficult to comprehend why it has been included among the list of categories of data.
Another important issue involves the indication of staying in a specific war or conflict zone. As the Fundamental Rights Agency (FRA) has pointed out, large parts of territories in some visa-free third countries have been hit by armed conflicts (Western Balkans, Eastern Ukraine). Furthermore, there may be different interpretations as to whether or not an area qualifies as a conflict zone (for example, South Ossetia).
Special categories of personal data
The processing of special categories of personal data is even more complex. According to Article 9 of the GDPR, special categories of personal data include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric or health data or data concerning a person's sex life or sexual orientation is prohibited.
Special categories of personal data include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership…
It is true that by contrast to other EU information systems ETIAS will not process biometric data – but non-visa travellers will still be subjected to the Entry/Exit System, which requires the storage of a facial image and four fingerprints. However, by combining information on name, residence, country of origin, education, occupation and email address, information on race, ethnic origin or religion may become evident. Furthermore, by revealing information on occupation, information about trade union membership may also be revealed.
In addition, personal data relating to criminal convictions and offences also amounts to sensitive personal data in accordance with Article 10 of the GDPR. As such, the collection and further processing of such data required an even stricter proportionality assessment. The ETIAS Regulation assumes that the question posed to the applicants will not be generic and relating to conviction ‘of any criminal offence in any country’ as the ETIAS proposal foresaw (Article 15(4)(c). Indeed, that vague wording was not acceptable since the watchlist drawn by Europol will be based on terrorist offence and other serious crimes and that discrepancy was not justified.
From an operational perspective, the potential flagging of a high number of applications requiring verification by the ETIAS Central Unit and potentially manual processing by the ETIAS National Unit would be overwhelming. The EDPS suggested the tested solution of referring to offences for which the requirement for dual criminality is abolished and are listed in Art 2(2) of the European Arrest Warrant Framework Decision (which replaced extradition among the Member States and provided that the minimum maximum penalty is at least three years of imprisonment) – the same offences for the prevention, detection and investigation of which law enforcement access is possible under Article 60 of the ETIAS Regulation.
However, the final text refers to an ad hoc list displayed in Annex I. An eagle’s eye would notice a few differences between the two lists. On the one hand, Annex I has dropped three offences; swindling, racketeering and extortion and forgery of means of payment. However, these offences may be more broadly included under ‘fraud’. On the other hand, the Annex incorporates two offences that are not traditionally considered serious; industrial espionage and racism and xenophobia.
The final wording that specifies the list of offences (albeit not in the most satisfactory manner) does not solve the issue that the criminal conviction may practically be from any country. As the FRA has stressed it may be the case that third countries criminalise behaviour that is protected under EU law, such as participation in certain political groups. Importantly, the requirement takes no account of the fact that convictions may be ‘spent’ (no longer disclosable) under national law nor the differences even within the EU. For instance, in some Member States it is a crime for a woman to have an abortion (homicide), whereas in most Member States the decision to have an abortion and its realisation is lawful. Further, the criminal justice systems of many non-EU states are very different and of variable credibility.
What difference is there between the personal data required under ETIAS and that required by third-country nationals on entry?
At the moment, nationals of visa-free countries who in the future will have to apply for an ETIAS authorisation are subject to the Schengen Borders Code (Regulation 2016/399, as amended). Article 6 of the Code lays down the entry conditions for third country nationals, which are the following: applicants must have a valid travel document for entry (issued within the past ten years and valid for at least three months from entry); a visa if they are visa nationals (or a relevant residence document); justification of the purpose of their visit and that they have sufficient means (based on the daily minimum amount specified by the Member States in their notifications to the Commission) and travel medical insurance; they are not persons in respect of which there is an alert as unwelcome stored in the SIS (implying a check on that database but not other EU databases) and they are not a threat to public policy, internal security, public health or international relations (including where there is no alert on national databases to this effect).
Annex I of the Schengen Borders Code includes a non-exhaustive list of supporting documents which border guards may request. It is obvious that this is a much more limited list than that contained in the ETIAS Regulation. In relation to visa nationals, the Visa Code (Regulation 810/2009, as amended) applies and its Article 21 requires a check that applicants have the documents required for entry at the border plus a check of VIS (so another EU database is checked as well).
Overall, the current EU legislation for entry of third country nationals at the borders and the issue of Schengen visas requires very substantially less documentation than ETIAS. As stressed in the previous section, there are even specific categories of personal data which are requested in the context of ETIAS, but not in the framework of VIS.
Why is this as it is?
We want to highlight how the forthcoming ETIAS will entail the collection of a wide range of personal data which goes far beyond what is currently required by the SBC VIS Regulations and to some extent even beyond the US ESTA (a country with notoriously lax personal data protection).
The processing of special categories of personal data is also not circumscribed in an adequate manner. These findings call into question the extent to which the EU is indeed the world leader in personal data protection. These rules will affect millions of travellers in the future; at the time of writing it is estimated that nationals of around 60 countries worldwide do not need a visa to enter the EU. The application of ETIAS to nationals of the United Kingdom in the post-Brexit era is also to be expected.
So, how can the assimilation of visa holders and visa-free nationals be explained? It has been noted elsewhere that there is a progressive move towards the surveillance of movement of all third-country nationals with an administrative or criminal law link with the EU in an effort to solve the ‘puzzle’ of identifying unwanted third-country nationals through the processing of their personal data in information systems.
A key reason behind this negative turn in the treatment of visa-free travellers concerns the visa policy of the EU, whereby a series of countries have been taken off the black list of countries whose nationals require a Schengen visa to travel to the EU so as to boost tourism. As a result, the ETIAS must be viewed in the light of these parallel developments and as a necessary corollary to the liberalisation policies of the EU driven by economic considerations; black listed countries are no less trusted than those in the white list, therefore the amount of personal data to be collected must be even more extensive, particularly since ETIAS is largely automated and no human intervention is foreseen when issuing travel authorisation.
The EU’s claim to data protection leadership has been badly let down by this unnecessary and disproportionate personal data grab.
Get our weekly email