EU rights agency says impact of large biometric systems ‘partly unknown’
Europe has had a difficult 2022: The war in Ukraine has brought a flood of refugees to the European Union nation-states while policymakers have been trying to tackle major technological advances. A new report by the EU Fundamental Rights Agency (FRA) lays out the effects that these developments have had on human rights, including an analysis of European IT systems that rely on personal information such as biometric data.
The EU is developing six large-scale IT systems designed to process personal data of third-country nationals, including biometric data. They are designed to support border management, asylum procedures and internal security.
The Vienna-based agency has an advisory role within the EU. In its report, published on Thursday, FRA outlined recommendations to establish a mechanism for an independent review of its large-scale IT system. A role model for the mechanism could be the Independent Reviewer of Terrorism Legislation in the United Kingdom.
“Numerous safeguards embedded in EU law are intended to mitigate the risks of fundamental rights violations, provided they are adequately implemented,” says the FRA report “However, the EU IT systems are just coming into operation, and we are still discovering how several aspects work together. Their potentially vast impact on fundamental rights therefore remains partly unknown.”
Multiple EU agencies are currently finalizing the regulation of three new IT systems with a deadline set at the end of this year. This includes the Entry/Exit System (EES), the European Travel Information and Authorisation System (ETIAS) and the European Criminal Records Information System for Third-Country Nationals (ECRIS-TCN).
The EU is also working on making its IT systems interoperable with the help of its eu-LISA agency ( European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice).
One example of this interoperability is detecting multiple identities with the help of biometric data. Currently, this task is handled by EU border agency Frontex and EU member states with member states expected to take over in the future. However, several states, including Belgium, Demark and Czechia, have issued complaints, opinions and investigations over data privacy and issues such as errors in matching.
FRA said that it aims to launch an online awareness-raising tool to provide information on the EU’s IT systems in early 2024.
The agency also raised questions about the Passenger Name Records (PNR) Directive which aims to regulate the transfer of PNR data from the airlines to national authorities, as well as their processing of this data.
“The PNR Directive entails serious interferences with the rights to privacy and data protection, as it seeks to introduce a surveillance regime that is continuous, untargeted, and systematic, including the automated assessment of all air passengers’ personal data. Given that, EU fundamental rights law requires that authorities’ powers provided for by the directive be limited to what is strictly necessary,” FRA says in the report.