The EU’s ‘Interoperability’ project: a revolution in information-sharing or surveillance gone wrong?

Over the past three years, it has become clear that the discourse surrounding migration, asylum and security-related concerns have, in most EU member states, become deeply contentious. Following 2015’s ‘migration crisis’, the shortcomings of the EU asylum system became strikingly evident. The terrorist attacks in Paris, Brussels and Berlin acted as a catalyst to pursue an initiative that had been in the pipeline for over 15 years: a collation of all the largest information-storing EU databases. The goal? To close the alleged ‘information gap’ and to sort the unwanted from the welcomed.

Several databases are already operational, such as the Schengen Information System (SIS), which stores information about criminals and missing persons; the Visa Information System (VIS), which holds the data of visa applicants and the European Asylum Dactyloscopy Database (EURODAC), which retains the fingerprints of asylum seekers. During the last three years, these databases have been updated to store more information and to integrate new functionalities. Moreover, new databases will be established to track all entries and exits to and from the EU, in addition to screening tourists travelling to the EU during online applications, against data compiled from watchlists.

As a final step, all EU databases will soon be interconnected, in order to create links between the data in the different systems. Titled ‘Interoperability’, this project was jointly adopted by the European Parliament and the European Council in May of this year.

Such an interconnected system had long been considered too complex and complicated to build, but with technology rapidly developing, and in light of emerging migratory challenges and terrorist threats, the decision to render immigration control even more reliant on large-scale information systems seemed perfectly justifiable.

So, what exactly is Interoperability? Interoperability will be comprised of four linked components that will connect the different databases: a European Search Portal, which will enable searches to be carried out across all databases; a Biometric Matching Service, which will create a common platform to store biometric templates and a Multiple Identity Detector, which will draw on data from any given database in order to detect fraudulent identities. The fourth component is the Common Identity Repository, which will store certain data from the underlying databases in a central repository. That repository may be accessed by authorities in member states in circumstances wherein criminal investigations are necessary, i.e. during police checks or during operations conducted by Europol and Frontex.

Interoperability will allow authorities to better monitor the EU’s external border crossings, to detect false identities, to track terrorists, criminals, unauthorised immigrants or those whose visas have expired. Although it is not the intention to store the details of EU citizens in the interoperable system, some of the databases that are responsible for feeding the interoperability components will contain the data of individuals who hold dual citizenship and the data of EU citizens who have been convicted or are suspected of crimes.

While these developments represent a promising initiative to protect the EU’s borders from terrorists and unwanted immigrants, the whole system could potentially violate the EU’s laws on data protection, not to mention prove a more expensive endeavour than planned.

One of the key principles of data protection law requires that processing be carried out for specified purposes. By merging immigration databases with systems that also store information about criminals, it will be difficult to prove whether authorities have processed personal data for a specific purpose.

The interoperable system will increasingly depend on biometric data, given that this data is generally considered reliable for queries relating to the identification of people. Here, incorrect accusations may be made on the grounds of wrongful identification, based on the fact that in many countries, certain names are more common than others. Consequently, the use of biometric data may indeed help to improve the identification of persons who hold the same name, birth dates or nationality.

However, the underlying systems often hold inaccurate data. As a result, compiling these data may lead to an increase in wrong matches and false hits, instead of facilitating decision-making and improving data quality. According to a feasibility study, the databases will retain more than 400mn datasets of persons, while the Common Identity Repository would retain around 242mn alone. Any inaccuracy within the databases could lead to thousands of wrong hits and would thus overwhelm the authorities who will spend their time amending these errors.

The equipment that is required to implement this dubious legal text is ludicrously expensive. At present, the estimated cost of establishing the interoperable system is €425mn. Member states are expected to contribute to the costs, hence interoperability will be financed by taxpayers, although there is no real evidence that the system will actually facilitate migration control and law enforcement.

While it has often been argued that terrorist attacks such as the one on the Berlin Christmas market in 2016 could have potentially been prevented had interoperability been enforced, one of the problems that caused the attack was the lack of information-sharing between member states. Besides the issue of data quality, it is worth asking whether interoperability could actually lead to more data-sharing. Interoperability might very well inhibit exchanges, because authorities would not necessarily know who will have access to the data they share, as it is ultimately up to the member states to designate the authorities they deem qualified to access the databases.

Moreover, it is not yet clear who will build such a system. Evidently, the interoperability project would be highly profitable and could only be undertaken by a handful of IT companies. So far, no information has been disseminated about who is likely obtain the bid, but the European companies that are equipped with the means to build the interoperable system range from scarce to non-existent.

By adding new layers to an already complex system of EU databases, interoperability will arguably make it more difficult to scrutinise the way in which data is collected, accessed and shared.

For now, the interoperable system will not include EU citizens, but there is room for expansion: Once the interoperable system is operational, including Passenger Name Record (PNR) data or financial data of EU citizens in the databases should prove quite easy.

Should we really devote all our efforts into creating a supposedly ‘secure’ society, simply because it is technologically feasible? After all, we tend to create irreversible settings ‘simply because it is possible’, without actually thinking through its consequences. Have we now passed the ‘panopticon’ whereby we can, theoretically, be surveilled at all times? Is this the result of mass ignorance or mass apathy?