Producing (in)securities in the EU? Questions about the legitimacy of new biometric policies applied to border control

Last July, an encounter in the form of a seminar titled “Governing (in)securities” was held in the city of York (UK). Organized by the Europe, Migration and the New Politics of (In)security Research Network[1], it brought together academics and researchers from Europe who specialize in migration in its many intersections with human rights, international relations and technology. During the event, the experts presented research findings regarding the political and social evolution of the so-called “refugee crisis” and different case-studies about the current situation of refugees in Europe. It turns out that many sociological and geopolitical studies, analysing both contextual factors and migrants’ experiences in different European cities and borders, have revealed serious violations of international laws.

Issues like the “externalization” of the EU border policy handed over to Turkey or the fragmented response of the Member States to the refugees’ needs were underlined during the meeting. Furthermore, different forms of political instrumentalization of the immigration problematics, including the intensified nationalistic discourse, were described and discussed. The researchers questioned even the use of the word crisis for referring to the increasing number of migrants arriving to Europe witnessed between 2014 and 2016. According to some, the EU was actually quite prepared economically to face the situation, whereas the political discourses that supported this negligent management of the humanitarian emergency had more to do with the creation of a “black box” where political decisions were taken. The many implications of such a situation concerning the quality of democracy in the region were of course discussed, also addressing how a violation of the 1951 Refugee Convention will cause a direct impact on the legitimacy of human rights law and consequently on the lives of millions of refugees and exiles around the globe.

While this process undoubtedly represents a historical shift in terms of Europe´s political agenda, one of the most relevant innovative aspects of the EU border policy discussed in York relates specifically to the use of technology. Among the strong impacts that this border policy has brought upon, we can distinguish those related to the processing and storage of migrants’ personal data, including their biometrics.

101012-N-7061S-018Datafication of EU borders and migrants’ right

Experience shows that privacy rights are commonly not prioritized when analyzing migration processes, so policies and externalities related to them remain quite hidden. On the other hand, since 9/11, airports and border crossing areas have become critical infrastructures and, some may say, states of exception (Bigo, 2006:47). The implementation of data intensive technologies in this context has become a key instrument for verifying identities and monitoring stays in many countries around the globe (Amoore, 2006). The EU “refugee crisis” also boosted this policy trend in Europe, where since 2013 the changing legislation has been increasingly oriented towards extending the technological systems of border control (Bigo, 2014, Marin, 2017). The underlying discourse behind this development is the need to guarantee security for EU citizens by securing all external borders, a narrative that was also reinforced by the long list of terrorist attacks that have occurred during these past few years on European soil.

The “Smart Borders Package (SBP)”[2], launched in 2013 by the EU Commission, proposed three main measures: (i) the creation of Entry Exit System (EES) that contain information of all visitants to the Schengen space, (ii) the establishment of a Registered Traveller Programme to ease this Entry-Exit process and (iii) an amendment of the Smart Border Code of 2006 to adapt such code to the overall system. A brief analysis of the evolution of this regulation confirms the securitization and datafication trends mentioned above. That first proposal for the SBP already suggested the creation of a “centralised system based on biometrics”, which is kept in the proposal of 2016 currently under negotiation. The argumentation and reasoning for this package and its clearly technological orientation is based on three proposed objectives: the need for improving border checks for Third Country Nationals (TCNs) by making them faster and easier, the control of “over-stayers”, and a reinforcement of internal security. It is argued that these goals would be facilitated by creating a common interface for sharing the personal information contained in the future Entry Exit System (EES) with the one stored already in other databases of the Union: Eurodac (storing information of refugees and asylum seekers) and SIS II (storing information of criminal records shared between member states law enforcement authorities). The proposal for an EES Regulation (2016), endorses the use of four fingerprints plus facial images of all people entering or leaving the EU, with five years of retention period. According to the proposal, all member states and EUROPOL will have access to this enormous amount of information “under strictly defined conditions”[3].

One of the social collectives particularly affected by this new regulatory framework is asylum seekers. Eurodac was created in 2000 (it has been operating since 2003), with the main purpose of managing asylum seekers’ applications. However, its 2013 revision allowed the use of stored personal data for “investigation of serious crimes and terrorist offences”[4]. The new proposal for a revision of this regulation (2016) includes the use of facial images combined with fingerprints. Moreover, it extends the initial purpose of the system, proposing to “contribute to fight irregular migration”[5], by matching data stored in Eurodac with information included in other databases (VIS and SISII), and guarantees access to the information kept in Eurodac by EUROPOL. The most sensitive component of this proposal is the idea of lowering the age limit for taking fingerprints from twelve years old (presently the case) to six years old (Arts 10, 13 and 14), which in fact has already been questioned heavily from both a technical and a human rights perspective (Kindt, 2013, 753). These reforms involving a wide redefinition of the original purposes of Eurodac, are being argued for based on: the potential use of the system for the detection of unaccompanied minors, the desired “effectiveness of EU return policy”[6] jointly with the reduction of detention periods, and – again – issues of internal security.

Biometrics at borders and the security narrative: some findings of the project “Biometric data in large EU IT systems in the areas of borders, visa and asylum – fundamental rights implications” commissioned by Fundamental Rights Agency of the European Union (FRA)

Dna_fingerprintingMultimodal biometric systems – combining in this case fingerprints with facial identifiers – are being extended for the use of registering and tracking refugees as they enter and settle in the EU. Even though the use of these systems is advocated for because of their heightened and proved accuracy in comparison with the use of one identifier, it should be noted that biometric data is defined as “sensitive data” by the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679 (Art 4)), meaning it is data that requires special care during its handling. In this regard, the mentioned accuracy of multimodal biometrics brings various implications concerning the right to privacy, since there are also many legitimate reasons to hide one’s identity. Cases of people in a witness protection programme or under international protection from political prosecution are particularly relevant in the context of refugees’ procedures and should be seriously considered when setting any identity management system. Concerning data protection in particular, all the regulations included in the Smart Border Package (SBP) point out the required compliance with the Directive 95/46/EC/GDPR and the need of applying the principles of Privacy by Design (PbD), such as proportionality and purpose limitation.

However, a recent study led by Eticas Research and Consulting[7] in collaboration with the Spanish National Research Council (CSIC[8]) for the Fundamental Rights Agency of the EU (FRA) titled “Biometric data in large EU IT systems in the areas of borders, visa and asylum – fundamental rights implications[9]”, has revealed that the use of biometrics at borders does not come free of a series of negative impacts on fundamental rights, including the right to privacy and the right to freedom. Eticas and CSIC worked for eighteen months (2015–2016) in six European and four non-European countries (Spain, Germany, Italy, Belgium, Sweden, Poland, Nigeria, Thailand, Algeria and Ukraine) conducting extended fieldwork research, which included in-depth interviews carried out with public officials, asylum seekers and migrants, as well as experts in relevant fields (a total of 286 interviews). In addition, three surveys were carried out with border guards, staff at embassies processing visa applications, external service providers of technology and visa applicants. Moreover, a survey among border guards was conducted at border crossing points in Member States, including Zeebrugge port in Belgium, the airports Frankfurt in Germany, Barajas in Spain, Fiumicino in Italy and Arlanda in Sweden, as well as the border crossing point Terespol in Poland. Research results point out that the introduction of these systems is not only generating barriers and risks for many right holders (such as visa applicants and asylum seekers), but is also bearing serious risks for potential violation of such rights in the future.

At an institutional level, many interoperability issues were detected during fieldwork, including problems with outdated data in SIS II[10] for example, which affects migrants’ procedures. The interviewed experts not only underlined specific issues currently faced when sharing information between administrations, but also emphasized the impact of policy change in the potential misuse of personal data, insisting that hacking risks and potential security breaches are always present. Most of these issues are well described in the recent publication of research results in “Fundamental rights and the interoperability of EU information systems: borders and security”[11].

On the other hand, certain negative implications of using biometrics at borders from a societal point of view, such as exclusion or discrimination in border crossing procedures, were revealed by the above-mentioned study. For example, individuals whose fingerprints are damaged because of manual work or vulnerable groups for which the systems are not adapted yet – such as elderly people and people with disabilities (due to difficulties when providing biometrics) or children (due to changes in identifiers) – seem to have suffered discrimination due to technical or managerial limitations. Other societal problems of current biometric systems deployed at borders include the changing character of identity versus the permanent character of biometric identification, which is not always foreseen or dealt with by the policy systems, like in the cases of gender change and facial image management. Moreover, attempts of avoiding identification have at times and in some cases proved to lead to self-harm and the use of force during recent years, mainly in the south and east border of Europe. Finally, the FRA project shows extended violations of the right to be informed about how one’s personal data will be managed and stored, which proves to have a serious and direct impact on the practices of affected migrants, resulting for example in denial to provide biometric identifiers on behalf of the right holders or rejection of rightful petitions on behalf of the authorities.

As an outline, we could say that the increasing use of biometric data within the new European system of border control seem not to be entirely justified both in legal and social terms. This inconsistency leads to doubt in the actual proportionality of these measures and raise some questions. Are we gaining in internal security by gathering biometric data from third-country nationals? Are we protecting children by taking their biometric data when their parents are not informed adequately? Short-term solutions have proved to be politically profitable and long-term effects are invisible so far, so when we are judging the effectiveness or feasibility of gathering all this personal data, we should ask ourselves if we are asking the right questions. 

Mariano M. Zamorano is Chief Research Officer at Eticas AAEAAQAAAAAAAA0WAAAAJDFiZmExZWI2LTQyY2MtNDA1Yi1iY2Q0LWQ5MTY1MTRiYWUyNwR&C. Zamorano holds a PhD in cultural policies by the University of Barcelona. The author has an extensive experience in the development of interdisciplinary academic projects and is specialized in the sociological examination of public cultural policies and the societal impacts of technology, particularly in the field of migration.



Amoore, Louise (2006). “Biometric borders: Governing mobilities in the war on terror”, Political Geography, 25, 3, 336-351.

Bigo, Didier (2014). “The (in)securitization practices of the three universes of EU border control: Military/Navy – border guards/police – database analysts”, Security Dialogue, 3.

——————(2006). “Security, Exception, Ban and Surveillance”. In Theorizing Surveillance. The. Panopticon and Beyond, edited by David Lyon. Devon: Willan, 46-68.

Kindt, E.J. (2013). “The Need for a Consistent Legal Regulation of Biometric Data”. In Privacy and Data Protection Issues of Biometric Applications. Law, Governance and Technology Series, 12. Springer: Dordrecht.

Marin, Luisa (2017). “The deployment of drone technology in border surveillance: between techno-securitization and challenges to privacy and data protection”, in Michael Friedewald, J. Peter Burgess, Johann Cas, Walter Peissl, Rocco Bellanova, Surveillance, Privacy and Security: Citizens’ Perspectives. Taylor & Francis: London, 107-122










[10] SIS II is an information system that allows Member States law enforcement and judicial authorities to perform specific tasks by sharing relevant data.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s