POST 21 OF THE SERIES OF THE ODYSSEUS BLOG ON THE PACT ON MIGRATION & ASYLUM
By Niovi Vavoula, Associate professor in Cyber Policy, University of Luxembourg
1. Introduction
Eurodac (European Asylum Dactyloscopy Database) is the EU-wide, large-scale IT system (database), initially designed to assist in the implementation of the Dublin system for the determination of the Member State responsible for examining an application for international protection. It is then an important, yet relatively under-researched, tool of the Common European Asylum System (CEAS). At the same time, it forms part of a complex network of centralised and soon-to-be interoperable EU/Schengen IT systems along with the Schengen Information System (SIS), the Visa Information System (VIS), the Entry/Exit System (EES), the European Travel Information and Authorisation System (ETIAS) and the European Criminal Record Information System for Third-Country Nationals (ECRIS-TCN). As such, Eurodac sits on two stools: on the one hand, it follows the pathway of the rest of the CEAS instruments, and on the other hand, it belongs to an ever-growing family of centralised databases in the field of migration, asylum, and border management.
This blog post provides a concise overview of the main changes in the revamped Eurodac under the newly adopted Regulation (EU) 2024/1358 (revised Eurodac Regulation), part of the New Pact on Asylum and Migration instruments, and critically appraises the relevant fundamental rights concerns. In its first part, the blog post outlines Eurodac’s currently applicable rules (Part II), followed by a synopsis of the revised rules that will apply as of 2026 (Part III). Finally, Part IV analyses key fundamental rights issues stemming from the reconfiguration of Eurodac following the adoption of the recast Eurodac Regulation.
2. Eurodac as the Sidekick of the Dublin System
Eurodac is intrinsically linked to the operation of the Dublin system to track onward movements of asylum seekers from the Member State of first irregular entry to further Member States in the EU. According to Regulation (EU) 603/2013, the current legal basis of Eurodac, Member States must collect the fingerprints of every applicant for international protection over the age of 14, which are then compared with fingerprints collected and stored by other participating countries to Eurodac (that is, EU Member States, as well as Dublin Associated States) (Category 1). If a Eurodac check reveals that fingerprints have already been recorded in another Member State (a ‘hit’ in the technical jargon), the latter Member State could be requested to ‘take back’ or ‘take charge’ of the asylum applicant on the basis of Dublin rules.
Member States must also collect the fingerprints of all third-country nationals apprehended in connection with an irregular border crossing, to be compared against fingerprints subsequently collected from applicants for international protection (Category 2). As for third-country nationals found illegally staying on a Member State national territory (Category 3), their fingerprints may be collected and checked against Eurodac records to determine whether they have previously applied for international protection in another Member State. In practice, however, neither are Member States obliged to undertake the procedure, nor would that data have to be stored within the system. Overall, this process of biometric tracking can settle whether asylum seekers belong, territorially and jurisdictionally, to the place they physically find themselves. According to latest report on the functioning of Eurodac, adopted by eu-LISA, the EU agency responsible for the operational management of large-scale IT systems, including Eurodac, in 2023, 1,776,914 fingerprint data sets were transmitted to the Eurodac Central System, of which 1,024,923 were recorded in Category 1 (asylum applications), representing 58% of the total. A further 447,745 data sets (25% of the total) were recorded in Category 3 (third-country nationals found to be staying irregularly) and 302,137 data sets (17% of total) were recorded in Category 2 (irregular crossings). However, during the so-called refugee crisis of 2015-2016, several participating states, such as Greece and Croatia, became overwhelmed with the obligation of fingerprinting those that arrived at the external borders and failed to comply with their Eurodac obligations (also see here), due to infrastructure deficiencies or unwillingness of state authorities to take responsibility.
Apart from a full set of fingerprints, Eurodac stores limited information on the sex of asylum seekers and irregular border crossers, the date of registration and transmission of fingerprints, and the Member State of origin. Each dataset on asylum applicants is stored for ten years. If, in the meantime, an asylum seeker is recognised as a refugee or beneficiary of subsidiary protection, the data are ‘marked’, which means that in the record it is indicated that the person concerned is a beneficiary of international protection, and the fingerprints may be accessed for law enforcement purposes for three years, before they are ‘blocked’ until their erasure. As regards records of irregular border-crossers, the retention period is 18 months. Regulation 603/2013 allows law enforcement authorities and Europol to consult, under specific conditions, Eurodac fingerprints for the purpose of preventing, detecting and investigating terrorist offences and other serious crimes. Transfers of Eurodac data to third countries are prohibited, except in the context of law enforcement, but even then they are prohibited if there is a serious risk that as a result of such transfer the data subject may be subjected to torture, inhuman and degrading treatment or punishment or any other violation of their fundamental rights.
3. The Transformation of Eurodac into an Immigration Database
In 2016, the Commission adopted a proposal revising the Eurodac rules as part of a broader reform of the CEAS. Nonetheless, the Commission proposal also aimed at supporting the EU’s return policy, essentially detaching the database from its asylum roots and repackaging it as a tool for wider immigration purposes. The negotiations on the 2016 proposal led to an interinstitutional agreement between the co-legislators, but no formal adoption of the new rules took place pending agreement on other CEAS proposals, primarily the Dublin IV Regulation proposal. In 2020, the Commission proposed further amendments, in the framework of the New Pact on Migration and Asylum, on which a basis agreement was reached in December 2023 (for an analysis see here, here and here). Regrettably both proposals only provided targeted amendments to Eurodac rather than fully recasting the instrument, thus making it particularly difficult to track the changes. In addition, the interinstitutional agreement remained secret for years, further exacerbating the opacity of how the revamped Eurodac would operate.
Regulation (EU) 2024/1358 combines the amendments stemming from the two proposals and the main changes can be summarised as follows. Eurodac acquires new functions relating to assisting in returning irregular migrants; selecting persons for admission and resettlement; protecting children; supporting other systems; and, becoming a primary pool of information for compilation of statistical data to enable evidence-based policy making. This is reflected in Article 1(1) of the Eurodac Regulation, which lists no less than 10 purposes. Eurodac is expanded both qualitatively and quantitatively with a view to better tackling irregular movements and monitoring the paths of asylum seekers and irregular migrants.
To those ends, the personal scope of the Regulation is extended, and the minimum age for fingerprinting is lowered to six years old (Article 14). Personal data on persons who are found irregularly present will be mandatorily centrally stored (not merely used for consultation), as well as data on beneficiaries of temporary protection (excluding Ukrainian nationals – Recital 10) from 2029 onwards will be collected. In addition, the database will comprise the data of persons registered for conducting an admission procedure under the EU resettlement and humanitarian admission framework (Articles 18-19) or national resettlement schemes (Articles 20-21). Individuals who are disembarked following a search and rescue (SAR) operation are distinguished from other groups of asylum applicants or irregular migrants, which means that they will be recorded in Eurodac under a separate category primarily to allow for precise statistical data and evidence-based policy making (Article 24). All datasets registered in respect of the same individual will be linked together (Article 3(6)) to avoid the ‘double counting’ that currently occurs. Moreover, Eurodac data will be used in an anonymised to generate various types of statistical data for example, how many individuals have applied for international protection, how many have been subject to a SAR operation including cross-system statistical data (e.g. asylum seekers who had first applied for a visa via the VIS, that will be used for more evidence-based policy making (Article 12).
On top of a full set of fingerprints, Member States will be obliged to capture a facial image (thus a second type of biometric data) and many more categories of personal data, such as various biographical data and copies of travel or identity documents to assist in identification and issuance of travel documents for returning irregular migrants. In addition, Member States must record whether, following security checks in accordance with the Screening Regulation, a person could pose a threat to a country’s internal security, if they are armed, violent, or there are indications that the person is involved in terrorist activity or serious crime (Articles 17(2)(i), 22(3)(d), 23(3)(e) and 23(3)(f)), a so-called security flag. The retention period of records on irregular border-crossers and irregular migrants is raised to five years. The retention period in respect of personal data of individuals on an admission procedure will vary, depending on the data, between three and five years. For beneficiaries of temporary protection, the retention period is one year, renewable (Article 29). In addition, transfers of Eurodac data to third countries are permitted for the purpose of identifying and re-documenting irregular migrants in the process of return and readmission.
The conditions of law enforcement access are significantly simplified. Firstly, intelligence services, which were excluded from being designated to request comparisons of fingerprints with Eurodac, can now be designated at national level to consult Eurodac (Article 5). Secondly, the requirement of national databases and the Automated Fingerprint Identification Systems of the other Member States is side-lined (Article 33). This is primarily due to the interoperability framework, which streamlines law enforcement access by allowing authorities to conduct a first check to all EU IT systems to determine whether information exists in any database without the need to fulfill any conditions of access (see here). Finally, the data on beneficiaries of international protection will be available for law enforcement purposes until their erasure, therefore not for three years only (Article 31).
The additional registration requirements are coupled with additional fundamental rights references (e.g. Articles 1(2) and 13(2)). However, administrative measures to ensure compliance with the obligation to provide biometric data can be imposed in accordance with national law and these must be effective, proportionate, and dissuasive and may include the possibility to use means of coercion as a last resort (Article 13(3)). An exception for vulnerable people due to the condition of their fingertips or face is foreseen (Article 13(4)). Article 14 provides special rules regarding children prescribing a ‘child-friendly’ and ‘child-sensitive’ registration of biometric data ‘in full respect of the best interests of the child’, which involves an adult in recording the biometric data (family member, representative).
Finally, the right to information is reinforced by requiring that more extensive information is to be provided to individuals subject to Eurodac, in writing and, where necessary, orally, in a ‘concise, transparent, intelligible and easily accessible form, using clear and plain language’ (Article 42(1)). Additional safeguards are included in relation to children, whose right to information will be safeguarded in an age-appropriate manner (Article 42(2)).
4. Examining why the Transformation of Eurodac Is Disproportionate
Eurodac rules have long raised significant concerns regarding their compatibility with various fundamental rights, particularly the rights to private life (Article 7 of the Charter of Fundamental Rights) and protection of personal data (Article 8 of the Charter of Fundamental Rights). The growing transformation of Eurodac from an administrative tool in support of the Dublin system to a law enforcement tool and now to a multi-functional database exemplifies the growing trend of blurring the distinction between policy areas in the area of freedom, security, and justice, and notably: asylum, migration, police cooperation, internal security, and criminal justice (see here and here). This blurring is particularly evident in the watering down of the conditions of access under the new rules, which disregards the specificities of Eurodac as a system containing data on asylum seekers and embraces the assimilation of the different groups of third-country nationals, all of whom are considered to present a security risk.
The lowering of the fingerprinting age has been justified as a means to assist in the identification of minors who are separated from their families, or who abscond from care institutions or from child social services. Whereas the protection of children did not feature in the objectives of Eurodac in the 2016 Commission proposal, the revised Eurodac Regulation explicitly includes this aim. Notwithstanding the existence of several safeguards regarding the processing of personal data of children, the coercion of minors to capture their biometric data is not fully proscribed, and the reliability of biometric data of minors is questioned, in light of the long retention period during which a person’s appearance may significantly change.
Furthermore, the increased categories of personal data collected, and particularly the cumulative effect of comparing a facial image along with fingerprints, will result in higher levels of accuracy. Nonetheless, this comes at the price of deeper surveillance of applicants of international protection and irregular migrants, worsening the negative connotations of criminality generated by fingerprinting, and deepens the feeling that the movement of these individuals is monitored. This is particularly the case considering that the identification through facial images will rely on facial recognition technology and Artificial Intelligence (AI) (see here). Besides, more categories of personal data may actually exacerbate the existing data quality problems of Eurodac (for example, see here and here). Experience from SIS and VIS demonstrates that the storage of many categories of personal data in records has been coupled with longstanding data quality issues (see here and here). In addition, national authorities already arbitrarily miscategorise third-country nationals, for example, as applicants of international protection instead of individuals apprehended in connection to irregular border crossing (see here) and the addition of many more categories of individuals falling within the scope of Eurodac may increase the risk of miscategorisation.
A category of personal data which is particularly worrying from a data protection standpoint is the addition of information regarding whether an individual poses a security threat. In particular, it is unclear what information will be included in Eurodac in relation to a person posing a threat to EU internal security. This may range from a simple ‘tick box’ process, to a free text input system where a national authority can add as much information as it wishes. As a result, this data field lacks clarity and precision and breaches the principle of data accuracy of data protection law (Article 5(1)(d) of the EU General Data Protection Regulation). It could also have a lasting effect on individuals as the security flag may be used for rejecting applications for international protection.
Furthermore, challenges regarding the right to human dignity and the possibility of individuals being detained during the fingerprinting process have been raised. Asylum seekers who flee persecution, may not feel comfortable registering their fingerprints for various reasons, for example because they may have had traumatic experiences with providing their fingerprints to police, or because they fear the fingerprints may be shared with national authorities in their country of origin, endangering family members that remain there. Lack of cooperation may lead to deprivation of liberty through detention, and even physical or psychological coercion to overcome resistance, which could risk re-traumatisation and re-victimisation. The revised rules legitimise such practices and leave significant leeway to Member States regarding the imposition of administrative measures for non-compliance with the requirement to register biometric data. Regrettably, the exception for the imposition of such measures is narrow: children, including unaccompanied minors, could be subject to administrative measures, including coercion. In a rather contradictory wording which assimilates adults and children, Article 14(1) of the Eurodac Regulation states that ‘no form of force shall be used against minors’, however ‘where permitted by relevant Union or national law, as a last resort, a proportionate degree of coercion may be used’.
The strengthening of the right to information is a welcome addition to Eurodac rules. Eurodac has been critiqued for the limited possibilities of individuals subject to its rules to have access to effective extrajudicial and judicial remedies, evidenced by the few requests for access, rectification, and deletion of Eurodac data (see here). A prerequisite for the exercise of other individual rights (of access, rectification, erasure, completion and restriction of processing) is how effectively, and completely, information has been provided to individuals. It remains to be seen whether the reinforced safeguards will be sufficient. For instance, a requirement for Member States to ensure that all individuals subject to Eurodac rules have comprehended the content of the information provided remains elusive. Practice shows that the provision of information does not always mean that individuals have understood that information (see here, which demonstrates improvement in this area, but there is room for further development) due to their vulnerability, prior trauma, or difficulties with absorbing data protection-related information as they may be preoccupied with more acute priorities. Furthermore, the potential that personal data already stored in the system collected from individuals who have not been informed about the additional new uses of Eurodac creates an ‘information creep’. This means that individuals may find themselves in a return procedure based on fingerprints that have been provided prior to the enactment of the revised rules.
Finally, the future use of Eurodac for return purposes opens the system up to the potential transfer of stored data to third countries. Regrettably, there are no limitations or specifications as to the categories of personal data to be transferred, or any specific safeguards relating to transfers of data of children. It must be emphasised that the countries of return of irregular migrants will not, in the vast majority of cases, provide adequate, meaning essentially equivalent, protection of personal data to that offered at EU level.
5. Conclusion
This blog post demonstrates the profound transformation of Eurodac from a database with a primarily unitary, asylum-related purpose, to a multi-purpose database, with highly sophisticated functions. Though the Eurodac rules have been carefully drafted, the fusion of migration, asylum, and criminal law, and the aim of facilitating administrative cooperation results in various fundamental rights challenges, while the safeguards contain significant loopholes. It remains to be seen how practical implementation of Eurodac will unfold, especially having in mind the bigger picture of Eurodac being a part of a complex framework of interoperable large-scale IT systems. Eurodac is not part of the Schengen Evaluation and Monitoring Mechanism. Therefore, supervision by the national data protection authorities, the European Data Protection Supervisor (EDPS), and their cooperation within the Coordinated Supervision Committee, are of utmost importance to safeguard the fundamental rights of applicants for international protection, for refugees, and for other categories of migrants that are subjected to Eurodac.