Thursday 21 March 2024

Resistance is futile: the new Eurodac Regulation – part 4 of the analysis of new EU asylum laws


Professor Steve Peers, Royal Holloway University of London

Photo credit: Rachmaninoff, via Wikimedia Commons

Just before Christmas, the European Parliament and the Council (the EU body consisting of Member States’ ministers) reached a deal on five key pieces of EU asylum legislation, concerning asylum procedures, the ‘Dublin’ system on responsibility for asylum applications, the ‘Eurodac’ database supporting the Dublin system, screening of migrants/asylum seekers, and derogations in the event of crises. These five laws joined the previously agreed revised laws on qualification of refugees and people with subsidiary protection, reception conditions for asylum-seekers, and resettlement of refugees from outside the EU. Taken together, all these laws are intended to be part of a ‘package’ of new or revised EU asylum laws.

I’ll be looking at all these agreements for new legislation on this blog in a series of blog posts (see the agreed texts here), unless the deal somehow unravels. This is the fourth post in the series, on the new Regulation on Eurodac – the system for collecting personal data to attempt to ensure the operation of the EU’s asylum laws. The previous blog posts in the series concerned the planned new qualification Regulation (part 1), the revised reception conditions Directive (part 2), and the planned new Regulation on resettlement of refugees (part 3).

As noted in the earlier posts in this series, all of the measures in the asylum package could in principle be amended or blocked before they are adopted, except for the previous Regulation revising the powers of the EU asylum agency, which was separated from the package and adopted already in 2021. I will update this blog post as necessary in light of developments. (On EU asylum law generally, see my asylum law chapter in the latest edition of EU Justice and Home Affairs Law; the summary of the current Regulation below is adapted from that chapter).

The new Eurodac regulation: background

There have been two previous ‘phases’ in development of the Common European Asylum System: a first phase of laws mainly adopted between 2003 and 2005, and a second phase of laws mainly adopted between 2011 and 2013. The 2024 package will, if adopted, in effect be a third phase, although for some reason the EU avoids calling it that.

The initial Eurodac Regulation (the ‘2000 Regulation’) was adopted before the first phase of the CEAS, back in 2000, to supplement the Dublin Convention on the allocation of responsibility for asylum applications, which also predated the first phase. The 2000 Regulation was subsequently replaced in 2013, as part of the second phase of the CEAS (the ‘2013 Regulation’).

The 2013 Regulation requires fingerprints of all asylum seekers over fourteen to be taken and transmitted to a ‘Central Unit’ which compared them with other fingerprints previously (and subsequently) transmitted to see whether the asylum seeker had made multiple applications in the EU. (So did the 2000 Regulation: the difference is that Member States since 2013 have to take fingerprints not only of those who apply for refugee status, but also of those who apply for subsidiary protection, a separate type of international protection for those who do not qualify for refugee status; for the definitions, see Part 1 in this series).

Similarly, Member States have to take the fingerprints of all third-country nationals who crossed a border irregularly, and transmit them to the Central Unit to check against fingerprints subsequently taken from asylum seekers. The reason for this is that one of the grounds to determine responsibility for asylum applications under the Dublin rules is which Member State the person concerned first entered without authorisation. The deadline to take the fingerprints is within seventy-two hours after an application for international protection is made, or after apprehension in connection with irregular crossing of an external border.

Member States may also take fingerprints of third-country nationals ‘found illegally present’ and transmit them to the Central Unit to see whether such persons had previously applied for asylum in another Member State. If so, it is possible that the other Member State is obliged to take them back under the Dublin rules. But note that under the 2013 Regulation, it is not mandatory to take and transmit the fingerprints of this group, and the Eurodac system does not store them. Law enforcement agencies and Europol have also been given access to Eurodac data, subject to certain conditions.

For a transitional period under the 2000 Regulation, the data on recognized refugees was blocked once the refugee status of a person was granted. However, the 2013 Regulation unblocked this data. Conversely, the 2013 Regulation reduced the time that the Eurodac system retained data on irregular border crossers (cutting that time from two years to eighteen months).

Unlike most other EU asylum laws, the Eurodac Regulation has not been the subject of case law of the CJEU, so it is not necessary to look at case law to fully understand its meaning.

The UK and Ireland opted in to the two previous Eurodac Regulations, although the 2013 Regulation ceased to apply to the UK (along with the Dublin rules) at the end of the Brexit transition period. Ireland opted out of the proposal for the 2024 Regulation, although it could still choose to opt in to that Regulation after it has officially been adopted. Denmark is covered by Eurodac as part of its treaty with the EU on applying Dublin and Eurodac; there are also treaties with Norway and Iceland, and Switzerland (with a protocol on Liechtenstein) to apply the Dublin rules and Eurodac too.

As with all the new EU asylum measures, each must be seen in the broader context of all the others – which I will be discussing over the course of this series of blog posts. The Eurodac Regulation has always had close links with the EU’s Dublin rules on allocation of responsibility for asylum applications; the new version of the Regulation will have further links with other EU law on asylum, as discussed below.

The legislative process leading to the agreed text of the revised Eurodac Regulation started with the Commission proposal in 2016, as a response to the perceived refugee crisis. A revised version was tabled in 2020, as part of the relaunch of all the asylum talks. The negotiations on that proposal by EU governments (the Council) and then between the Council and the European Parliament, have been convoluted, but have now ended. But this blog post will look only at the final text, leaving aside the politics of the negotiations. My analysis focusses on how the new Eurodac Regulation will differ from the 2013 Regulation, the main details of which were already summarised above.

Basic issues

Like other measures in the asylum package, the application date of the 2024 Eurodac Regulation is two years after adoption (so in spring 2026). However, as discussed below, there will be special rules on the application of the Regulation to temporary protection (ie the application of the EU temporary protection Directive on initial short term protection in the event of mass influxes, so far applied only once, to those fleeing the invasion of Ukraine).

The 2024 Eurodac Regulation first of all expands the list of the purposes of Eurodac – previously support of the Dublin system, with some law enforcement access to data – to include general support for the asylum system, assistance with applying the Resettlement Regulation (on which, see part 3 of this series), control of irregular migration, detection of secondary movement, child protection, identification of persons, supporting the EU travel authorization system and the Visa Information System, the production of statistics to support ‘evidence-based policy making’, and to assist with implementing the temporary protection Directive. The clause on ‘purpose limitation’ related to the use of personal data is far broader, although it is now accompanied by a general human rights safeguard.

Next, the type of data collected is expanded beyond fingerprints to include ‘biometric data’, now defined as including ‘facial image data’. Other types of data will also be newly collected. The obligation to take data is more clearly highlighted in the 2024 Regulation, along with both further safeguards and yet also ‘the possibility to use means of coercion as a last resort’.

The age of collecting data from children will be reduced from 14 to 6. While there will be special safeguards for children, these make uncomfortable reading. For instance, ‘[n]o form of force shall be used against minors to ensure their compliance with the obligation’, and yet ‘a proportionate degree of coercion may be used against minors to ensure their compliance’.

New provisions in the 2024 Regulation aim to secure interoperability with other EU databases – namely the ETIAS travel authorization system and the Visa Information System. Also, the use of Eurodac to generate immigration statistics will be hugely expanded.

Data will still be collected for Eurodac from asylum-seekers and those crossing the external border irregularly, with additional data on changes of status of the data subject. Also, data will now be collected and stored on a mandatory basis (rather than being checked against the database, but not stored, on an optional basis), for irregular migrants, to assist in identifying them. Finally, data will now be collected for the first time as regards four more situations: EU resettlement under the new Resettlement Regulation; national resettlement; search and rescue; and temporary protection, under the EU temporary protection Directive. However, the extension to temporary protection cases only applies to future hypothetical uses of the temporary protection Directive – not to those covered by the 2022 application of that Directive to those fleeing the invasion of Ukraine.

Most of this data will be automatically compared to data already in Eurodac. Data on asylum-seekers will be stored (as before) for ten years; data on irregular border crossers will now be stored for five years, rather than 18 months; and there are varying periods of storage (usually five years) for data newly collected under the 2024 Regulation. However, for temporary protection cases, the storage period is linked to the period of temporary protection under EU law, which is currently three years maximum. As before, data will be erased in advance if the person concerned obtains citizenship of a Member State, but not (for irregular border crossers) if they leave or obtain a residence permit. Conversely, data on those who obtain international protection will be kept for the usual ten year period, rather than (as before) deleted three years after obtaining protection.

Finally, as for data protection, the huge increase in data being collected is regulated by largely the same standards as before (adapted to include the collection and comparison of facial images, as well as the collection of data on security risks), except it is now possible to transfer data to non-EU countries for the purposes of return.


There was no Commission impact assessment specifically for the amendments to the Eurodac Regulation, and the rationales for the amendments offered in the preamble to the Regulation are rather sweeping. However, there is more detail in the explanatory memoranda to the Commission’s proposals. The 2016 proposal argues for Eurodac to be used not just to facilitate application of the Dublin system, but also as a tool for application of immigration control more broadly. In the Commission’s view, this justified the use of the system to identify those who were staying irregularly – including more comparisons of data. Collecting data on younger children was justified on grounds of safeguarding, to trace parents if they were separated. The collection of facial images and other new types of data was justified on grounds of facilitating identification. Data on relocation should be collected in order to transfer an asylum seeker to the correct Member State under the Dublin rules. The ten year period of retaining asylum seeker data, even if a claim was successful, was justified in case those with status moved without authorization and had to be returned to the Member State responsible. A longer period of retaining data of border crossers, without advance deletion in as many cases, was justified in case it was necessary for return purposes.

As for the revised 2020 proposal, the Commission argued that it was necessary to be consistent with other new rules on search and rescue, resettlement, changes to the main Dublin rules, screening, listing rejected applications (so that the rules on repeat applications could be applied), and internal security risks (because this rules out relocation under the Dublin rules).

Much of these rationales – which in any event are not based on detailed statistical analysis, in the absence of a specific impact assessment from the Commission (a vague staff working document does not contain any further detail) – can be questioned. Was it necessary to include future temporary protection cases, given that an ad hoc solution was found for the current use of the temporary protection directive? In particular, was it necessary to include such cases, considering the original rationale of Eurodac, if (as in the current use of temporary protection) the Dublin rules are de facto disapplied to temporary protection beneficiaries?

Given that the system is extended to temporary protection cases, why does the logic of a short period for retaining data in such cases not apply more broadly? Or at least, why is the logic of retaining data on resettled persons for five years – because long-term residence status is likely then – not applied equally to other people with protection status, or a residence permit? (The idea – raised during negotiations – of deleting data once people obtained long-term residence status was unfortunately dropped). This is a subset of the more general flaw with the whole package of amendments: the determination to strengthen the application of negative mutual recognition (ie Member States recognizing each others’ refusal of applications), without strengthening positive mutual recognition (recognizing the successful applications in other Member States) in parallel, and without considering the cases where those with protection status have a justified reason to move to another Member State (see the threshold set out in the Ibrahim judgment, for instance), or the prospects of long-term residents using their right under EU law (the long-term residents' Directive) to move to another Member State if they meet the criteria to do so. Finally, there is no rationale of using the Eurodac system for returns in light of the expansion of the Schengen Information System to the same ends (expanded data on entry bans, data on return decisions), which is already applicable in practice.

Overall then, the new Eurodac system will collect much more data, on many more people, for far more purposes, and for much longer – and with an inadequate explanation for many of these changes.

No comments:

Post a Comment