Evidence from Statewatch to Sub-Committee E of the Select Committee on the European Communities (House of lords) - Draft Protocol extending the Eurodac Convention on the fingerprinting of asylum applicants to illegal immigrants (document 12943/98, dated 17.10.98)
The Protocol intends to supplement the draft Eurodac Convention (the "parent Convention"), which requires all EU Member States to fingerprint all asylum-seekers over fourteen years of age and send their fingerprints to a central database for comparison with the fingerprints of all previous asylum-seekers. To this end, the Protocol requires all Member States to take the fingerprints of "every alien" over fourteen who is "apprehended by the competent control authorities in connection with the irregular crossing by land, sea or air" of a Member State's border and send those prints to the Eurodac database (Article 3). These prints will be compared with those of subsequent asylum-seekers sent to the database (Article 4), and must be deleted from the database after two years except where the person has been issued with a residence permit or has left the territory of the Member States; in these cases deletion is immediate (Article 5). Member States may send the Eurodac central unit the fingerprints of persons "found to be illegally present" on its territory, to be compared with those of previous asylum seekers, but not those of illegal entrants. The prints of such illegal residents cannot be stored in the central Eurodac unit and must be destroyed immediately (Article 7). Finally, the provisions of the parent Eurodac Convention apply to the Protocol except where otherwise stated or implied (Article 8); the only explicit derogation from the parent Convention is in Article 6, which allows a Member State to prevent an illegal entrant from knowing whether his or her fingerprints have been transmitted to the Eurodac database.
2) Legal Status
The government's explanatory memorandum does not explain that, as decided at the Justice and Home Affairs Council of December 1998, the parent Convention has been "frozen" and will be agreed as Community legislation rather than an intergovernmental Convention. Presumably the Protocol will be agreed as a Community measure also. It would be useful for the government to clarify whether: a) it intends to "opt-in" to these measures and b) whether it foresees any difficulties from having a Community measure supplementing an intergovernmental Convention (the Dublin Convention). The recent Action Plan on implementing the Area of Freedom, Security and Justice only refers to the possibility of adopting a Community measure to replace the Dublin Convention, although the future Article 63(1) of the EC Treaty appears to place an obligation on the Community to do so. The question of legal status is also relevant to the issue of data protection (point 6 below).
3) Relationship with the parent Convention
It would have been preferable to have the "blocked" text of the Convention from December 1998 in order to scrutinize the Protocol fully. The references below are to the most recent text of the parent Convention seen (11868/1/98, 5 Nov. 1998).
Article 8 of the Protocol provides that there are implicit as well as explicit derogations from the parent Convention. Previous Title VI documents have specified more precisely which provisions of the parent Convention do or not apply to them (see the First and Second Protocols to the Convention on Protection of the Community's Financial Interests). It would be useful to take the same approach here and confirm: a) that the national supervisory authorities and the Joint Supervisory Authority provided for in the parent Convention can supervise the specific rules on checking and storage of fingerprints which apply to the Protocol; and b) that the obligation to delete fingerprints from the database upon the grant of citizenship to an asylum-seeker (Article 7, parent Convention) and to block fingerprints upon recognition of Geneva Convention refugee status (Article 8, parent Convention) also apply to the Protocol. On the latter point, there is a conflict between the parent Convention and the Protocol: if a person is granted a residence permit upon recognition of Geneva Convention refugee status, must his or her fingerprints be deleted entirely from the database (Article 5(2)(a) of Protocol) or merely blocked (Article 8, parent Convention)? Or will one set of fingerprints (as an illegal entrant, transmitted under the Protocol) be deleted and one set (as an asylum-seeker, transmitted under the parent Convention) be blocked? The latter solution seems illogical. It would be preferable to confirm that both sets of fingerprints must be deleted.
4) Unclear Definitions
Three of the crucial definitions in the text are unclear. There are a wide variety of possible interpretations of "irregular crossing" of a border (and more still of apprehension "in connection with" such irregular crossing), "found to be illegally present" and "issued with a residence permit". This raises the prospect of an extremely divergent interpretation of the Protocol in different Member States, with limited ability to ensure an uniform interpretation in light of the limits on the Court of Justice in the future Article 68 EC. There is no reference to the rights to continued residence which accrue to some third-country nationals from Community legislation (as family members of EC nationals), the EC Treaty (Article 59) or EC agreements with third states. According to the Court of Justice, the latter have primacy over secondary Community legislation (Case C-61/94, Commission v. Germany,  ECR I-3989). Furthermore, the lack of clarity gives rise to human rights concerns (point 6 below).
5) Clarification of Purpose
The text of the Protocol does not make it entirely clear why fingerprints of illegal entrants (or possibly illegal residents) should be taken and compared with the prints of asylum-seekers. Only the third and fourth preambular clauses to the Protocol specify why each set of data is being collected and compared. In order to ensure that fingerprints are only taken, transmitted and checked for limited purposes it would be preferable to state expressly in the Protocol that such actions can only be taken in implementation of Article 6 (allocation of Dublin Convention responsibility to the first Member State which the asylum-seeker entered illegally) or Article 10(1)(c) and (e) (obligations for the Member State with responsibility for an asylum-seeker to take him or her back after entry into another Member State during the examination of the application for asylum or after rejecting it) of the Dublin Convention. An unclear purpose for taking, transmitting and storing prints also gives rise to human rights concerns (point 6 below).
6) Human Rights and Data Protection
a) Validity of taking, transmitting and storing fingerprints
As the organs of the European Convention on Human Rights have held, it is a prima facie breach of Article 8 ECHR privacy rights to take and store fingerprints (Friedl v. Austria, Commission Report of 19 April 1994, paras. 52 and 53). However, taking and storing fingerprints can be justified, according to Article 8(2) ECHR, if "in accordance with the law and...necessary in a democratic society" to protect certain specified interests (ibid.). The Protocol is so unclear about the reasons for which fingerprints can or must be taken, and about the relevant definitions which apply to taking, transmitting, storing and deleting fingerprints, that it might be questioned whether taking, transmitting or storing fingerprints is sufficiently "in accordance with the law" by the Protocol to allow the Member States to invoke Article 8(2) or to allow the Community to invoke it as part of the general principles of EC law (on the importance of legal precision and clarity to the defences under Article 8(2), see Malone v. UK, ECtHR judgment of 2 Aug. 1984).
The existence of a legitimate aim for, the necessity for and the proportionality of taking fingerprints of illegal residents can also be doubted. Indeed, a report to the Council in spring 1998 (8441/1/98, 18 May 1998) quotes (at p. 6) the Council Legal Service's view that:
the inclusion in Eurodac of data relating to persons who had legitimately crossed the external frontiers of a Member State, but had later been found residing unlawfully in a Member State, cannot be justified.
While the proposed Protocol does not provide for including such data in Eurodac, it may still be questioned whether taking and checking fingerprints of illegal residents against the Eurodac database meets the legitimacy and proportionality tests of Article 8(2) ECHR.
Furthermore, the spring 1998 report to the Council does not specify in detail why it believes the use of fingerprints of other persons (the taking, transmission and storage of fingerprints under the parent Convention and of illegal entrants under the Protocol) meets the conditions of Article 8(2), simply asserting that "[t]here is no doubt that the purposes to which the Dublin Convention contributes do constitute a compelling social need and that [fingerprinting illegal entrants] can be regarded as supporting a legitimate aim". There is no reference to the specific justifications for restriction of rights in Article 8(2), and it has long been established by the ECHR that the grounds for restriction in Articles 8-11 ECHR are exhaustive (see Golder, judgment of 21 Feb. 1975). Moreover, the explanatory memorandum of the UK government makes no reference to consideration of the ECHR at all. This is, to say the least, a remarkable omission in light of the Human Rights Act.
The doubts on these points are even greater given the potential number of persons who might be covered by the provision (persons "found to be illegally present" may include persons who have had leave to reside in a Member State for a considerable time, or whose residence permits have expired while anticipating an extension of those permits from slow-moving national authorities).
Furthermore, the Protocol does not correct a glaring omission in the parent Convention, which fails to provide for controls on the use of fingerprint data after the data has been sent from the Eurodac database to national authorities.
b) Limitation on data protection rights
Article 6 of the Protocol is an inexplicable and wholly unacceptable limitation on the rights of the fingerprinted person ("data subject") which the United Kingdom should not accept. It would allow any or all Member State to derogate from the crucial Article 13(2) of the parent Convention, which gives a fingerprinted person the "right of access to data" as follows:
In each Member State any person may, in accordance with the laws, regulations and procedures of the State, exercise a right of access to data concerning him/her recorded in the central database. Such access to data may be granted only by a Member State. The person will be informed of the data relating to him/her recorded in the central database and of the Member State which transmitted them to the Central Unit.
The "right of access to data" in Article 13(2) is unqualified and can be enforced by court or administrative action (Article 13(11)). It is implicit from the wording of the Article that the "the laws, regulations and procedures of the State" refer only to the modalities of giving effect to the right and do not allow the right itself to be extinguished. Exercise of the right allows a person to request correction of inaccurate data or deletion of illegally recorded data (Article 13(3)); these rights may also be enforced by court or administrative action (Article 13(12)). It also facilitates damages claims against the Community for damage caused through the fault of Community staff in breach of their duties under the parent Convention (Article 12(2)) and for Member States for illegal use of fingerprint comparisons (Article 12(1)) and illegal taking and transmission of fingerprints and illegal taking, transmission and use of personal data (draft statement for Council minutes attached to Article 12(1)). It will still be open under the Protocol for fingerprinted persons to approach national supervisory authorities and ask them to check that the Convention is being complied with (Article 14(1) and 14(3)), but the possibility of an individual right of access may be extinguished.
The Protocol gives no explanation whatsoever, in the main text or the preamble, for allowing Member States to extinguish the fingerprinted person's individual rights. The government's explanatory memorandum states only at para. 17 that "[t]he proposed Eurodac provisions take full account of data protection considerations", but it is difficult to accept that abolition of a fingerprinted person's individual data protection rights does take full account of those considerations. Furthermore, a Member State which uses the option in Article 6 can, according to that provision, attempt to "export" its disregard for data protection rights, because if a fingerprinted person applies for the relevant information in another Member State, the Member State of origin must be given "an opportunity to state its position" before the requested Member State releases the information.
It is strongly arguable that the proposed extinction of a fingerprinted person's individual data protection rights would constitute a violation of the effective remedies obligations of Article 13 ECHR. Indeed, the European Commission of Human Rights found such a breach in Friedl v. Austria (cited above), because the applicant had no way of complaining about recording and storing of personal data and fingerprints by the police. While the Strasbourg Court has accepted that non-judicial remedies (such as access to a supervisory authority, as provided for in the parent Eurodac Convention) might constitute an "effective remedy" for the purpose of the ECHR, "the powers and procedural guarantees an authority possesses are relevant in determining whether the remedy before it is effective" (Klass v. Germany, judgment of 6 Sep. 1978, p. 30). The Strasbourg Court has been willing to accept that non-judicial bodies can offer relatively limited remedies in cases involving national security or police investigations (Klass, ibid.; Leander v. Sweden, judgment of 26 Mar. 1987), but these limitations were clearly accepted only in light of the facts of the cases (absence of notification was acceptable in Klass "in order to ensure the efficacy of surveillance measures" (p. 30-31), and in Leander an effective remedy was assessed "having regard to the restricted scope for recourse inherent in any system for the protection of national security" (p. 32)). Under the Protocol, the sole purpose of comparing the illegal entrant's fingerprints with those of subsequent applicants for asylum would be to ascertain which Member State has responsibility for considering an asylum application. This in no way involves criminal investigations or prosecutions or the protection of national security, so there is no apparent justification for a Member State to abolish a fingerprinted person's right to access to data.
Moreover, if the Protocol is adopted as a European Community measure, it is arguable that Directive 95/46 on data protection will apply to it, since the measure will fall not within the exclusion in that Directive for measures adopted under Title VI of the EU Treaty. It may be difficult to justify a complete abolition of a fingerprinted person's data protection rights under the Directive, or indeed under the Council of Europe Data Protection Convention, to which the Community intends to accede.
If some Member States insist upon maintaining their national law which extinguishes such rights, it would at least be appropriate to restrict the ability of other Member States to join them, by providing instead that only those Member States whose national laws currently deny such a right may maintain a reservation (or a "derogation" from a Community measure) on the rights of the fingerprinted person. This reservation or derogation should be non-renewable or at least be reviewed at regular intervals.
a) the government should clarify its intentions on accepting the draft Protocol and the parent Convention after entry into force of the Amsterdam Treaty;
b) the government should indicate whether early adoption of the Eurodac Convention and Protocol as Community measures has any implications for the operation of the Dublin Convention, or early "transformation" of the latter into a Community measure;
c) the government should press for greater clarity about the application of Eurodac Convention articles to the Protocol, especially in cases of conflict;
d) such a far-reaching measure should not include so many vague definitions of fundamental terms;
e) the application of the Protocol to persons with rights to reside under other Community measures should be explicitly excluded;
f) the text of the Protocol should explicitly limit the purposes for which fingerprints and other data can or may be taken to the circumstances of Articles 6 and 10(1)(c) and (e) of the Dublin Convention respectively; g) the Protocol may well breach the ECHR, in light of its unclear definitions and purposes;
h) the option for Member States to take fingerprints of illegal residents may well breach the ECHR;
i) the UK should not accept the possible complete exclusion of the fingerprinted person's data protection rights, in light of possible incompatibility with Article 13 ECHR, EC data protection law and the Council of Europe data protection Convention.
This evidence from Statewatch was prepared by Steve Peers, Reader in Law, Human Rights Centre, University of Essex, 1 March 1999.
© Statewatch ISSN 1756-851X.Material may be used providing the source is acknowledged. Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement.