Tiffany Guggenbühl, LLM Candidate in Human Rights Law, The University of Edinburgh
Winning entry for the EU Immigration Law Prize 2018/19
External border control and internal security in the European Union (EU) have become two sides of the same coin. Controlling immigration is increasingly used for security purposes while security and crime governance methods are used to carry out border and immigration controls. Both rely on the mass collection and exchange of Third-Country nationals (TCNs) personal data, giving rise to considerable privacy challenges. It is worth addressing them because of the prerequisite to ensure the protection of privacy and personal data imposed by a Union that has decided to make its databases interoperable.
The Regulation (EU) 2017/2226 seeks to establish an Entry/Exit system (EES) which registers information on the entry, exit and refusal of entry of TCNs who cross the external borders of the Schengen area. It pursues a twofold objective: on the one hand, the management of the EU external borders; on the other, the access to the data by law enforcement authorities (LEA) to prevent, detect and investigate terrorist offences and other serious criminal offences. In other words, the first objective is to retain data of TCNs (who complied with their duration of authorised stay) for purposes of border management, reduced border crossing time and the facilitation of accelerated border crossings. The second objective allows LEA to produce information for investigations connected with cases related to terrorism and other sufficiently serious criminal offences. In this context, the EES Regulation is very likely to interfere with the right to respect for private life (Article 7 of the Charter) and the right to protection of personal data (Article 8 of the Charter). These rights are not absolute and limitations can be justified, as long as they respect the requirements under Article 52(1) of the Charter. It therefore all boils down to know whether the EES Regulation constitutes a legitimate interference with the right to protection of personal data and the right to privacy regarding data retention periods by respecting the strict necessity and proportionality test.
The challenge posed by the new legislation to privacy is particularly relevant because of the data protection constraints imposed by legal precedents. First, the significance of the rulings Marper and Digital Right Ireland for the reconstruction of the connection between pre-emptive surveillance and privacy cannot be underrated. In those judgments, the European Court of Human Rights and the EU Court of Justice (CJEU) have stressed that the mere retention of personal data may challenge the right to privacy.
Second, the CJEU in its Opinion 1/15 on the Draft EU/Canada PNR Agreement established that an interference restricting the right to privacy and personal data protection must follow an objective of general interest and only be applied to the extent it is strictly necessary. In this case, the Court approved the storage and use of data where retention would be on the basis of objective criteria demonstrating that the data could be instrumental in the fight against terrorism and serious transnational crime. This justification allowed a five-year data retention period as the objective did not exceed the limits of the strict necessity nor contradict the principle of proportionality.
The strict necessity and proportionality test
Any interference of the EES Regulation with data protection rights needs to be tested in light of these precedents, to check whether the objectives of the Regulation can be enforced in a ‘necessary’ and ‘proportional’ manner. Looking at the first objective of border control, Article 34 of the EES Regulation provides for a 3-year data retention period. The EES stores information on TCNs identity (both visa-required and visa-exempt travellers) together with their travel documents and biometric data. The exact date and time of entry and exit, border crossing point and last exit are also registered. Articles 17, 18, 19 of the Regulation specify the data of visa-exempt TCNs, TCNs who have been refused entry and those whose authorisation for short-stay has been revoked, annulled or extended.
Data revealing private information touches upon Article 7 of the Charter, while its processing falls under Article 8 of the Charter. The balancing test will determine whether an interference with data protection rights is justifiable or problematic. The 3-year retention period of the first objective appears to be problematic with EU law as it exceeds what is strictly necessary. Accordingly, the data retention period under the EES fails to be legitimised by the first objective of improving management of the Union external borders. Indeed, the purpose of border management cannot be considered as an objective of general interest, as forceful as fighting terrorism and serious transnational crime. The retention of data from TCNs, who do not constitute a risk to public security, seem to exceed the strict necessity. Furthermore, the EES does not make provision for a depersonalization of data after a certain time as TCNs remain identifiable during the entire retention period. Whilst the retention of data for overstayers or individuals with an entry ban may be justified, a retention period of three years for TCNs does not constitute the least intrusive measure to attain the first objective of the system.
The test of interference should also apply to the second objective of the EES the protection of public security. Longer retention periods may be justified inasmuch as the retention of data is founded on objective evidence that the data is necessary to participate in preventing, detecting and investigation terrorist or other serious offences. The measure shall be the least intrusive possible to accomplish its objective of crime prevention in the most efficient way while simultaneously ensuring its compatibility with basic fundamental rights standards. It strikes a fair balance between the allegedly competing interests: on one hand, the fundamental rights of data protection and on the other hand, the increased demand for security and surveillance of potential criminals. Consequently, the retention of data after a TCNs has left the Union is only proportionate to reach the second objective of the EES in its fight against terrorism and serious crime.
The underpinning feature in the test is to assess whether the length of data retention periods can be justified for achieving the objective of the specific measure; it is not the actual length (be it three or five years) that determines necessity. In addition, a shorter retention period may seem less intrusive in terms of the standards established for Articles 7 and 8 of the Charter; however, a shorter length cannot be translated as automatically proportionate. Although the Court has not established a precise admissible time-length to retain personal data, there remains an obligation to justify the interference with fundamental rights by complying with the principles. As a result, an authentic justification regarding the first EES objective is required to justify a specific length. This is not all obvious for the data retention periods envisaged in the EES Regulation.
The reliance on an integrated use of technology in the securitisation of migration under the EES Regulation highlights troublesome interferences with the right to protection of personal data and the right to privacy. The data retention period under its objective of border management appears excessive. The measure fails to respect the strict necessity test hence, there is no need to examine its proportionality. In contrast, the retention of data to fulfil the objective of public security is both necessary (the EES Regulation is the least intrusive to achieve this objective) and proportionate (a fair balance between the intensity of the interference and the legitimacy of the objective) for the fight against terrorism and serious crime. There are consequently serious grounds for re-examining the EES Regulation in its current form in order to prevent a negative review of the CJEU and other possible actions against the potential of the Regulation to breach fundamental rights of data protection.