Step one: Making an application

This report is available in PDF format here.

Visas

Visa applications are generally submitted on paper at the embassy or consulate of a Schengen state. Applicants must hand over significant amounts of personal data to the authorities including, amongst other things, information on their identity, employment, education and, if applicable, the personal details of the person or organisation inviting them to the Schengen area.

Biometrics are a key part of the EU’s visa regime, with ten fingerprints and a photograph taken from every applicant aged 12 or over. Legal proposals currently under discussion would lower the minimum age to six. This would mean the storage of biometric data from up to a million more children in the central database of the EU’s Visa Information System (VIS), which at the end of 2018 held 42 million fingerprint sets in total. A recent upgrade expanded the database so that it can hold a total of up to 100 million visa applications.[1]

Applicants also have to demonstrate that they have valid medical insurance for their trip and visa authorities are able to request extensive further documentation, if so desired. This might include bank statements, travel tickets, proof of accommodation, employment, property ownership, or even “proof of integration in the country of residence,” amongst other things. Applicants may also be called to attend an interview, so that officials can better assess their trustworthiness.

If an application is admissible – that is, the form is complete, biometrics have been taken and the fee paid – a file is created in the VIS. This contains a sub-set of the data in the application form, including names; sex; date, place and country of birth; travel document details; and purpose of travel. Application files can be linked to one another (for example, those of family members or previous applications), offering something of an investigative function to officials, who are able to see with whom an individual has familial, social or professional ties.

Data held in the system is accessible by hundreds of thousands of officials working for hundreds of EU and national authorities. By September 2017, “the approximate total number of end-users accessing VIS” for purposes related to visa applications, identity checks and asylum applications was “more than 458,000,”[2] with 116 national authorities granted access as of May 2016 (the most recent figures available).[3] For the purposes of law enforcement access to the VIS (see ‘Step five: Departure’), at the end of September 2017 there were 3,867 “access points” and 7,343 user accounts.[4]

It is likely that in the future the entire application process will be digitised, allowing all visa application data to be entered into the system. This will facilitate “behind-the-scenes risk analysis” and “data-driven algorithms that translate the common visa policy into checks and alerts,” according to a study carried out for the European Commission.[5]

Travel authorisations

Citizens of visa-exempt countries will have to provide a significant amount of personal data as part of their travel authorisation application, which will be submitted through an online portal and stored in a new database, the European Travel Information and Authorisation System (ETIAS). Amongst other things, the data required for a travel authorisation will include names, address, age, nationality, occupation, level of education and the names of the applicant’s parents.

Biometrics will not be stored in the ETIAS. However, anyone granted a travel authorisation will have four fingerprints and a photograph taken when they arrive at the Schengen border, for inclusion in the Entry/Exit System (EES), another new database that will record border crossings and provide national authorities in the EU with lists of ‘overstayers’ – those who stay longer than permitted in the Schengen area – with the aim of aiding in their detection and expulsion. The EES is expected to hold files on almost 50 million visa-exempt travellers by 2025.

Travel authorisation applicants will also be asked to answer questions on whether they have been convicted of criminal or terrorist offences, whether they have been present in a conflict or war zone (and if so, why) and whether they have ever been subject to a deportation order. The authorities may also request additional documentation or information from applicants, who can be called to an interview if deemed necessary. As with an interview for a visa, the purpose would be to better assess the trustworthiness of the individual.

If an application is admissible – that is, the form is complete and the fee (€7) has been paid – a file is automatically created in the ETIAS Central System. These contain a reference number, the status of the application, the date and time of submission and all the data submitted in the application form. As with the VIS, new application files can be linked to previous ones, offering something of an investigative function to officials. Given that the ETIAS is not yet up and running, it is unknown how many authorities or individuals have access, but the numbers are likely to be extremely high.

How data from travel authorisation applications will be checked against EU and Interpol databases. Similar rules will be put into effect for the visa application data held in the VIS. Source: European Commission

Feeding the EU’s new identity database

In the coming years, data from both visa applications and travel authorisations will be used as a source of data for another new EU database currently under construction, called the Common Identity Repository (CIR). Identity data collected from visa and travel authorisation holders – names, date and place of birth, sex, travel document data, fingerprints and a photograph – will be stored in the CIR, while other data relating to the visa or travel authorisation application – for example, the purpose of travel or the applicant’s occupation – will remain in the VIS and ETIAS.

The same process will be applied to three other large-scale EU databases: the Entry/Exit System (EES), which will record all border crossings in and out of the Schengen area; Eurodac, which stores data on all asylum-seekers in the EU and is being expanded to also hold information on undocumented migrants; and the European Criminal Records Information System for Third-Country Nationals (ECRIS-TCN), which will hold data on non-EU citizens convicted in one or more EU member state. The CIR will initially be able to hold up to 300 million individual records.

Once in the CIR, this data will be used for purposes beyond those of the underlying databases. While data from the VIS and ETIAS is primarily gathered for processing visa and travel authorisation applications, the transfer of ‘identity data’ to the CIR will be used to facilitate identity checks by police officers and other officials, assist in law enforcement investigations, and even help with the gruesome task of identifying dead people. It will also be used for new, automated procedures that will try to detect the use of false identities by non-EU nationals, through the large-scale comparison of biometric and biographic data across the different systems. In the words of one critic, this equates to pulling “a new legal basis out of a hat, after you have already collected personal data.”[6]

The interoperability plan is controversial for a number of reasons. By breaking the ‘silo’ model of data management in the EU, whereby personal data was held in separate databases for strictly defined purposes, it breaches one of the basic principles of data protection law, known as purpose limitation. According to this rule, personal data should be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”[7] As the European Commission remarked in 2010: “A single, overarching EU information system with multiple purposes would deliver the highest degree of information sharing,” but would also be “a gross and illegitimate restriction of individuals’ right to privacy and data protection”.[8] Clearly, times have changed.

The legislation on identity checks also fails to meet EU legal standards on police access to personal data due to weak anti-discrimination safeguards, no evidence that non-EU nationals are more likely to pose a security threat than EU nationals (whose data is not stored in any similar type of database) and a failure to clearly define the specific offences or legal thresholds that could justify access to the database.[9]

The merging and comparison of so much personal data from so many different systems also raises issues regarding the ability of data subjects to know who has access to their data, what is being done with it, and how they can correct it should it be erroneous. It may be particularly difficult for non-EU citizens to exercise their data rights due to language barriers and legal complexity.[10]


How the new Common Identity Repository and Multiple Identity Detector will function. SIS = Schengen Information System

Data storage in the EES, ETIAS, VIS and CIR

All data under the headings 'Biometric data, 'Biographic data' and 'Travel document data' will be stored in the CIR. That listed under 'Application data' will be stored in the individual systems.

Source

VIS

ETIAS

EES

Data type

Visa-obliged

Visa-exempt

Entry

Refusal

Entry

Refusal

Biometric data

Fingerprints (number of prints)

X (ten)

 

 

X* (four)

X (four)

X* (four)

Facial image

X

 

X

X*

X

X*

Biographic data

First name(s)

X

X

X

X

X

X

Surname

X

X

X

X

X

X

Former surname(s)

X

 

 

 

 

 

Name at birth

 

X

 

 

 

 

Previous names

 

 

 

 

 

 

Previously used names

 

 

 

 

 

 

Aliases, pseudonyms, artistic names, usual names

 

X

 

 

 

 

Parents’ first names

 

X

 

 

 

 

Date of birth

X

X

X

X

X

X

Place of birth

X

X

 

 

 

 

Nationality(ies)

 

X

X

X

X

X

Sex

X

X

X

 

X

X

Gender

 

 

 

 

 

 

Travel document data

Type and number

X

X

X

 

X

X

Issuing country code

X

X

X

 

X

X

Validity

X

X

X

 

X

X

Application data

 

Application number and status

Application number and status

Date, time and border crossing point of entry

Date, time and border crossing point of refusal

Date, time and border crossing point of entry

Date, time and border crossing point of refusal

 

Authority responsible for visa application / issuance / refusal

Date and time of application submission

Visa data, i.e. number and authorised stay

Reasons for refusal of entry

Exit data

Reasons for refusal of entry

 

Place and date of application

IP address

Date, time and border crossing point of exit

 

Date, time and border crossing point of exit

 

 

Type of visa and validity period (if issued)

 

Remaining authorised stay

 

Remaining authorised stay

 

 

Details of the person/company inviting and/or liable to pay applicant’s subsistence costs

Data of the person/company making the application, if not the traveller

 

 

 

 

 

Main destination and duration of stay

Member state of first intended stay and (optional) address of first intended stay

 

 

 

 

 

Purpose of travel

 

 

 

 

 

 

Date of arrival and departure

 

 

 

 

 

 

Border of first entry

 

 

 

 

 

 

Residence

Home address and/or city and country of residence, email address and phone number(s)

 

 

 

 

 

Current occupation and employer; for students, name of school

Occupation and level of education

 

 

 

 

 

For minors, parents’ names

For minors, names, address, email address and phone number(s) of parental authority or guardian

 

 

 

 

 

Scan of biographic data page of the travel document

 

 

 

 

 

 

 

If claiming status as family member of an EU citizen, their familial ties and details of the family member

 

 

 

 

 

 

Criminal convictions in last 10 or 20 (in case of terrorism) years

 

 

 

 

 

 

Stay in conflict or war zone in last 10 years

 

 

 

 

 

 

Subject to a deportation order in last 10 years

 

 

 

 

 

Results of the automated processing against databases, information systems and the watchlist

Results of the automated processing against databases, information systems and the watchlist

 

 

 

 

 

 

Any ‘flag’ added to the application

 

 

 

 

Retention period

 

Five years

Three years (with optional three year renewal, subject to traveller’s consent)

Three years

Five years

Three years

Five years

*If the person is refused entry because of a false / counterfeit / forged travel document, visa or residence permit; or because they are subject to SIS or national alert on refusal of entry.

Processing applications: new automated checks

Visas

The processing of visa applications is at present largely done manually, with officials making checks against two databases: the VIS, to see whether any previous applications by the same individual exist; and in the Schengen Information System (SIS, a vast EU database for police, judicial and border control cooperation), to see whether they are wanted by the police or subject to an entry ban.[11]

Proposed changes to the visa process would automate most of this work, whilst increasing the number of databases against which applicants are screened. The legislation is currently under negotiation between the European Parliament and the Council of the EU, but when it comes into force the VIS will automatically check other EU and international databases to see if an applicant is wanted by the police, subject to a deportation order or entry ban, has previously applied for asylum in the EU, been apprehended for irregularly crossing an external EU border or being within the EU in an irregular situation, or has been convicted of terrorism or serious criminal offences in the EU.[12]

There will also be automated checks to see if the person has previously applied for a visa; if they have visited the Schengen area in the past and if so, how long for; or if they are listed in any of Europol’s databases. A new Multiple-Identity Detector that is being introduced as part of the interoperability agenda will check if their identity data matches that held in any other EU database and, if so, whether they may be using a false identity.[13]

Currently, visa applications are not routinely checked against these databases and the proposal to do so raised some eyebrows amongst data protection specialists, but no serious critiques were forthcoming.[14] However, such checks were already written into law for travel authorisations, and they also apply to EU citizens when they cross the external borders of the Schengen area – in this context, extending the veil of suspicion to visa applicants was a logical step.

‘Hits’ resulting from these automated checks will have to be manually verified by the visa authorities. If the hits are accurate, and do concern the visa applicant, they must be taken into account in the assessment of the application.[15] Furthermore, the Council of the EU would like to give Europol the power to issue a “reasoned opinion” on applicants whose details trigger a hit in the agency’s databases. While not formally binding on the visa authorities, this would be a significant extension of the agency’s powers.

Travel authorisations

The ETIAS is intended to be largely automated unless a check against a database, watchlist or profiling system results in a ‘hit’, at which point an application will be manually processed by national authorities.

Travel authorisation applications will be checked automatically against a host of other EU and international databases. These will see whether the applicant should be refused entry into the Schengen area; is wanted for arrest or extradition; is using a travel document reported as lost or stolen; has previously visited the Schengen area and, if so, how long for; or has ever made a visa application and the results of that application.[16]

Automated checks will also see whether the applicant has previously applied for asylum; been apprehended whilst irregularly crossing an external border or in an irregular situation within the EU; has been convicted of terrorism or other serious criminal offences in the EU; or is listed in any of Europol’s databases. A new ‘Multiple-Identity Detector’ being introduced as part of the interoperability agenda will check if their identity data matches that held in any other EU database and, if so, whether they may be using a false identity.[17]

If these checks lead to hits, the ETIAS Central Unit – which will be operated by Frontex, the EU border control agency – will be given access to the application file and any files linked to it, for verification purposes. National authorities must be consulted on hits against data they have supplied to EU databases and may veto the application if they wish. The same applies to Europol, the EU’s policing agency, although it does not have a veto power.[18]

A travel authorisation application must be refused if the applicant is subject to an alert concerning a lost, stolen, misappropriated or invalidated travel document or an alert on refusal of entry or stay. In other cases, the national authorities must use the information available to assess the application.

International document databases as a tool of political persecution

The requirement to check visa and travel authorisation applications against databases of travel documents reported as lost or stolen may, at first glance, appear sensible. However, the main international system for making such reports – Interpol’s Stolen and Lost Travel Documents (SLTD) database – is known to have been used by states seeking to persecute their political opponents. In this regard, the automatic refusal of travel authorisations in cases where the document associated with the application is reported as lost or stolen is particularly concerning.

It is well-established that states have used the SLTD database, along with other Interpol mechanisms such as red notices and blue notices,[19] to harass and persecute political opponents.[20] In 2017 the Stockholm Center for Freedom, a human rights organisation started by Turkish exiles in Sweden, documented a number of cases of such persecution by the Turkish state. For example, the journalist Sevgi Akarçesme was removed from a July 2017 flight from Brussels to New York just prior to departure, after the Turkish authorities issued a false notification in the SLTD database. Enes Kanter, a professional basketball player in the USA, narrowly avoided arrest in Indonesia at the Turkish government’s behest, only to be detained at an airport in Romania due to a false report in the SLTD database.[21]

Applicants who are refused a visa or travel authorisation have the right to appeal the decision. However, that appeal will be conducted according to the national law of the member state that refused the application, meaning that individuals’ rights will differ from state to state. Furthermore, while they must be provided with information on the right of appeal in their native language, applicants who do make an appeal will be left to navigate a foreign legal system in a language in which they are unlikely to be fluent. In any case, who are the authorities more likely to believe – an Interpol notice, or a lone individual?

False identities, or false positives? New technologies in the application procedure

As noted above, one of the new automated checks being introduced into the visa and travel authorisation application procedure concerns the possible use of false identities. As part of the EU’s rules on ‘interoperability’, a new system called the Multiple Identity Detector (MID) will be introduced, with the aim of doing exactly as its name suggests.

When the MID comes into use, every time a file is created in any EU policing or migration database – in this case, the VIS or the ETIAS – the biographic and biometric data it contains will be compared to other EU systems dealing with policing, border control, border crossings, travel authorisations, asylum applications and criminal records. In the event of one or more ‘hits’ – that is, where data in the new file matches pre-existing data in one or more systems – a file will be created in the MID, containing a ‘yellow link’ between the two sets of matching data.

The authority that created the file will then have to assess whether the matching sets of data legitimately refer to the same person (e.g. people who have changed their name), illegitimately refer to the same person (i.e. a case of identity fraud), or refer to different people with similar identities, and mark the linked data as such.

Clearly, if a large number of yellow links are generated by the MID in relation to visa applications, the workload of the visa authorities would significantly increase.[22] The same can be said of ‘hits’ against any other databases following automated checks. The process for clarifying and interpreting those links is to be set out in implementing legislation, which is currently under discussion.[23] That decision may also address whether it should be mandatory to interview individuals whose data gives rise to a yellow link, but its content has not yet been made public.

Quality control

Data quality is another crucial issue for the proper functioning of any database, and is fundamental if the EU’s interoperability project is to work as intended. However, the quality of the data stored in the underlying databases that will feed the new ‘interoperable’ systems is far from perfect, something of which the EU’s governments are well aware. In April 2020, a year after the interoperability legislation was adopted, the Council Presidency circulated a paper calling for a “roadmap for standardisation for data quality purposes.”[24]

A 2018 study by the EU’s Fundamental Rights Agency found data quality problems with all existing large-scale EU databases. With regard to the VIS, the study highlighted cases where biometrics were attached to the wrong application file, resulting in false matches, as well as “significant amounts” of inaccurate data being stored in files.[25] The European Court of Auditors has also highlighted serious issues with data quality in the VIS, as well as the Schengen Information System and Eurodac databases.[26]

The interoperability legislation contains provisions requiring the introduction of automated quality checks on all data entered in existing and forthcoming EU databases and information systems.[27] How those checks will be enacted will be set out in another piece of implementing legislation, which is also currently under discussion.[28]

This may go some way to solving problems caused by poor quality data, but will not happen for some time. In the meantime, there has been no suggestion of providing extra funding for national data protection authorities responsible for overseeing the use of these systems, despite previous calls for more funding and personnel in order to ensure effective supervision.[29]

Current and future checks for visa and travel authorisation applications

 

Visa applications

Travel authorisation applications

 

Current checks

Future checks

Future checks

National databases

X

X

X

EU DATABASES

Visa Information System

Previous applications

X

X

X

Profiling tool

 

X

X

Schengen Information System

Refusal of entry or stay

X

X

X

Surrender or extradition

 

X

X

Missing persons

 

X

 

Wanted to assist with a judicial procedure

 

X

 

Discreet checks

 

X

 

Specific checks

 

X

 

Lost or stolen travel document

X

X

X

Entry/Exit System

Previous border crossings

 

X

X

Time spent within the Schengen area

 

X

X

European Travel Information and Authorisation System

Previous travel authorisation application(s)

 

X

X

Watchlist

 

X

X

Eurodac

Previous asylum application(s)

 

X

X

Irregular border crossing(s)

 

X

X

Apprehended in an irregular situation within the EU

 

X

X

European Criminal Records Information System for Third-Country Nationals

Conviction(s) in EU for terrorism or other serious crimes

 

X

X

Multiple Identity Detector

 

X

X

Europol data

 

X

X

INTERNATIONAL DATABASES

Interpol

Stolen and Lost Travel Documents database

 

X

X

Travel Documents Associated With Notices database

 

X

X

Automated profiling of all travellers

EU law defines profiling as using the automated processing of personal data “to evaluate certain personal aspects relating to a natural person”. This can include analysing or trying to predict “performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.” It is widely used in sectors such as insurance, finance and advertising and is becoming increasingly common in welfare, migration and security policy, to try to detect “‘unknown’ individuals who may be of interest” and aid in decision-making.[30]

The use of profiling raises serious risks for fundamental rights regarding discrimination, privacy and due process. Actions taken on the basis of profiling may lead to further interferences with the rights to liberty and security, to a family life, freedom of expression and freedom of assembly, amongst other things. In the context of migration policy, it may lead to inaccurate decisions or unwarranted searches, seizures, questioning or investigation. Any “bias, error, or system failure can result in irreparable harm to individuals and their families,”[31] who, as non-citizens, may face particular difficulties in exercising their rights to redress.

In the coming years, profiling will aid decision-making on both visa and travel authorisation applications and could be used to ‘flag’ individuals considered of further interest to the authorities. Data mining tools will comb through applications, statistics on overstay and refusal of entry, information from national authorities on security risks, and epidemic disease risks identified by global health bodies, in order to generate “screening rules”. These will then be used to identify individuals previously unknown to the authorities, but “assumed to be of interest for irregular migration, security or public health purposes due to fact that they display particular category traits.”[32]

In the legislation on visas and travel authorisations these category traits are referred to as “risk indicators”. They include age range, nationality, country and city of residence, destination, purpose of travel and occupation. It is important to note that the rules and risk indicators used to assess visa and travel authorisation applicants will be based on data collected and analysed not solely by computers, but by people as well. “Bias may be introduced at each step of the process,”[33] increasing the risk of unwarranted refusals of applications, discrimination or invasions of privacy.

Such systems are already in use elsewhere. In February this year, Eyal Weizman, a researcher who investigates war crimes and state violence, was “barred from traveling to the United States for an exhibition of his work after being identified as a security risk by an algorithm used by the Department of Homeland Security.” Weizman said he was given “no reason” for the refusal and officials at the US embassy in London asked him if he could think of any reason why the system had flagged him. An official asked for “the names of anyone in my network whom I believed might have triggered the algorithm.”[34] As warned in a report on the use of automated decision-making tools for immigration and asylum purposes in Canada, there is the danger of creating “a laboratory for high-risk experiments within an already highly discretionary system.”[35]

In fact, the EU has been such a laboratory for quite some time. In 2016, a piece of legislation called the Passenger Name Record (PNR) Directive introduced the first automated profiling system in the EU’s border control regime.[36] This requires almost all airlines[37] to hand over data on all passengers on flights travelling into, within or out of the EU to ‘Passenger Information Units’ run by national law enforcement authorities. The data is compared against national and EU databases and against “pre-determined criteria” – a phrase seemingly-analogous to “risk indicators” – in order to detect individuals of interest prior to their arrival at an airport. The rules are being challenged in court by the Gesellschaft für Freiheitsrechte (Civil Rights Association, based in Germany) and epicenter.works (based in Austria).[38]

Meanwhile, the UK government has in recent years quietly introduced an automated profiling tool into its visa application system (the UK was never a Schengen state and so has always had a separate visa regime). The digital rights organisation Foxglove and the Joint Council for the Welfare of Immigrants are challenging the use of the “streaming tool” that is used to sift applications into “a fast lane (Green), a slow lane (Yellow), or a full digital pat-down (Red).” The two groups are pursuing a judicial review to find out what exactly the system does, how it works, and make sure it complies with the law. “As far as we can tell,” say Foxglove, “the algorithm is using problematic and biased criteria, like nationality, to choose which “stream” you get in. People from rich white countries get “Speedy Boarding”; poorer people of colour get pushed to the back of the queue.”[39]

It can be observed that the introduction of these systems represents, in some respects, the technological enforcement of already-existing practices. For example, EU states have long-deployed immigration liaison officers abroad to profile passengers and prevent them boarding flights if they are deemed likely to seek asylum, and countries in the Balkans have been pressured into preventing their own nationals, if they are deemed to fit a certain profile, from departing their territory.[40]

Decisions based solely on automated profiling are illegal, but automated systems may exert significant influence on official decision-making, as has been found with police use of facial recognition technology.[41] Further legislation is being drafted to establish the details of the profiling systems for the VIS and the ETIAS. Close scrutiny should be afforded to that legislation and the use of the systems, which may have profound implications for the tens of millions of people who travel to the EU every year.

A new pre-crime ‘watchlist’

The inclusion of wanted or suspect individuals on lists drawn up by the police or other authorities is an old phenomenon. However, digital technologies make it far easier to maintain and extend such lists, and the EU has several of them. The Schengen Information System (SIS), for example, contained alerts on over 126,000 persons wanted for “discreet” or “specific” checks at the end of 2019.[42] In the case of the former, border guards or other officials surreptitiously gather as much information as possible from an individual, without making them aware they are the subject of an alert. The latter type of check involves direct questioning by border guards or other officials. Europol can also store data on ‘potential criminals’. The EU also maintains lists of individuals subject to sanctions, such as asset-freezing, due to their involvement in acts of terrorism.[43]

The keeping of such lists can be lawful, but raises a number of serious questions concerning fundamental rights. The EU’s terrorism ‘blacklists’ were the subject of serious criticism due to the listing process and the failure to provide basic procedural rights, such as the possibility of appeal, until a series of high-profile legal cases led to some changes.[44] A large number of authorities are able to insert alerts in the SIS – primarily law enforcement, judicial and border authorities, but also intelligence agencies and bodies from non-EU countries.[45] This raises questions about oversight, to ensure that alerts are justified and accurate, and may make it difficult for individuals to exercise the limited rights available to them when they are subject to “discreet” or “specific” checks.

The legislation on ETIAS establishes a new watchlist,[46] against which all applications for travel authorisations and, under legal proposals being discussed, visas,[47] will be checked. On the one hand, this list will include data on individuals who are suspected of having committed or taken part in terrorist or other serious criminal offences. On the other, it will include people who it is believed may commit such offences in the future. In this respect, it is “future-oriented” and aims to “support decision-making on who is authorised to travel to the EU based on what a traveller might do,” not only what they may have done.[48]

Both Europol and EU member state authorities will be able to enter information into this new watchlist. The authority that enters the data is responsible for ensuring it is “adequate, accurate and important enough to be included.”[49] Individuals will have the right to request access to and correction or deletion of any data held on them by EU and national authorities, but the process may not be simple. A variety of different data protection regimes will govern the watchlist and its use.[50] Law enforcement authorities, responsible for data added to the list, have ample opportunities to apply restrictions to data subjects’ rights. More fundamentally, no EU institution has ever publicly explained why the watchlist is necessary and how it will relate to other existing EU systems, in which it is already possible to include the ‘potential criminals’ the authorities believe may commit offences in the future.

Some further legislation will be passed to clarify the “technical specifications” of the watchlist.[51] As with the forthcoming traveller profiling system, this legislation and the eventual use of the watchlist should be closely scrutinised to examine its impact upon fundamental rights.

Making a decision

Visas

These new methods of processing visa applications will be far more data-intensive than is currently the case, but should – in theory – be far quicker. The aim is to produce better-informed decisions more swiftly and introduce a ‘level playing field’ in the assessment of visa applications across the Schengen states.

However, there is no guarantee these new technologies will achieve their goal. A 2013 study found that for citizens of eastern and central European states and “oil-rich countries,” except Iraq and Iran, “not receiving the visa applied for is a rare experience.” On the other hand, despite applying for a relatively low number of visas, citizens of sub-Saharan African states faced an “extremely high” refusal rate. The most recent statistics demonstrate the same trend.[52]

The same study highlighted that for western Schengen states such as France and the Netherlands, visa issuance and refusal patterns “are highly sensitive both to the country’s postcolonial legacies and general economic interest in regard to emerging economies, while new [Schengen] members are, with very few exceptions, acting nearly exclusively in relation to non-EU Eastern European countries.” If the data fed into the EU’s new automated systems is skewed by political and economic interests and colonial legacies – not to mention the discretion of officials, who make the final decision on visa applications[53] – then the ‘risks’ that they indicate will be equally flawed. At the same time, as noted previously, the introduction of new automated checks may actually slow down the procedure, by introducing more data that has to be manually verified by officials.

The political, economic and historical interests at play in the visa procedure are well-demonstrated by a further facet of the Schengen regime. Individuals of certain nationalities are subject to more stringent checks than others, through a process known as ‘prior consultation’. Any EU member state can notify all other member states that if an individual of a particular nationality applies for a visa, the notifying member state must be consulted by the consulate that has received the application. The consulted state has a veto power over the decision to issue the visa or not.

A US diplomatic cable released by Wikileaks in 2004 provides a vivid illustration of the way this works. The cable, from the US embassy in Brussels, said that the nationalities subject to prior consultation “generally follow colonial patterns. For instance, before any member state issues a visa to an Algerian citizen, France must be given the name of the applicant.” If the authorities so decide, “France can refuse to allow the partner Member State to issue the visa.”[54]

The list of nationalities (and specific categories of person holding that nationality, for example diplomats) subject to prior consultation is published, although the particular member states that require prior consultation remain secret. There are currently 38 states on the list – over a third of all the states whose citizens require a visa to enter the Schengen area. Moreover, any refugee or stateless person who applies for a visa, whatever their nationality, also faces ‘prior consultation’.

The end result of all these checks and consultations is, of course, the issuance or refusal of a visa. This must be done within 15 calendar days from the date on which the application was lodged, but can be extended to up to 30 or even 60 days. With a visa affixed to their passport, an individual will then be able to travel to the Schengen area.

Travel authorisations

A travel authorisation is issued if all the checks and procedures put in place show no indication of a security, illegal immigration or high epidemic risk. Applicants should be informed of the result within 96 hours of making an application, but this can be extended if additional information or documentation is requested, or if they are called to an interview at a member state’s consulate. Once an application has been approved, the traveller will be able to make their journey to the Schengen area.

A Schengen visa. Source: European Commission

Previous section: Introduction | Next section: Step two: The journey

Notes

[1] eu-Lisa, ‘Technical reports on the functioning of VIS’, May 2018, p.9, https://www.eulisa.europa.eu/Publications/Reports/2018%20VIS%20reports.pdf

[2] Ibid., p.18

[3] List of competent authorities the duly authorised staff of which shall have access to enter, amend, delete or consult data in the Visa Information System (VIS), Official Journal of the European Union, C 187/4, 26 May 2016, https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1591113452708&uri=CELEX:52016XC0526(01)

[4] eu-Lisa, ‘Technical reports on the functioning of VIS’

[5] Deloitte/European Commission, ‘Study on the feasibility and implications of options to digitalise visa processing’, 10 February 2020, https://op.europa.eu/en/publication-detail/-/publication/4cb4fbb8-4c82-11ea-b8b7-01aa75ed71a1/language-en

[6] Daniel Trilling, ‘Scaled-up surveillance: the EU builds a massive biometric database’, Coda, 9 June 2020, https://www.codastory.com/authoritarian-tech/eu-border-patrol-technology/

[7] Article 5(1)(b), General Data Protection Regulation, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679

[8] European Commission, ‘Overview of information management in the area of freedom, security and justice’, COM(2010) 385 final, 20 July 2010, p.3, https://ec.europa.eu/home-affairs/sites/homeaffairs/files/news/intro/docs/com_2010_385_en.pdf

[9] ‘Data Protection, Immigration Enforcement and Fundamental Rights: What the EU’s Regulations on Interoperability Mean for People with Irregular Status’, https://www.statewatch.org/news/2019/nov/interoperability-report.htm

[10] Ann-Charlotte Nygård, ‘EU wide availability of personal data of third country nationals for migration and security purposes – the challenge of ensuring fundamental rights safeguards’, Migration Policy Centre, undated, http://www.migrationpolicycentre.eu/eu-personal-data-third-country-nationals-for-migration-security/

[11] Article 21, Regulation (EC) No 810/2009 of the European Parliament and of the Council of 13 July 2009 establishing a Community Code on Visas (Visa Code), https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32009R0810

[12] Article 9a, Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EC) No 767/2008, Regulation (EC) No 810/2009, Regulation (EU) 2017/2226, Regulation (EU) 2016/399, Regulation XX/2018 [Interoperability Regulation], and Decision 2004/512/EC and repealing Council Decision 2008/633/JHA, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52018PC0302

[13] Ibid.

[14] The European Data Protection Supervisor, in an opinion on the legal proposals to revamp the VIS, did raise the issue of “the role and impact of data processed for law enforcement purposes in the visa issuance decision-making process,” but did not fundamentally question the proposal’s intentions. https://edps.europa.eu/sites/edp/files/publication/18-12-13_opinion_vis_en.pdf

[15] Article 9c, Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EC) No 767/2008, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52018PC0302

[16] Article 20, Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32018R1240

[17] Ibid.

[18] Articles 22-27, Regulation (EU) 2018/1240, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32018R1240

[19] Elmas Topcu, ‘Turkey using Interpol to track down dissidents’, DW, 7 November 2019, https://www.dw.com/en/turkey-using-interpol-to-track-down-dissidents/a-51159723

[20] Abdullah Bozkurt, ‘Secret documents reveal abuse of Interpol mechanisms by Turkish government’, Nordic Monitor, 1 February 2019, https://www.nordicmonitor.com/2019/02/secret-documents-reveal-abuse-of-interpol-mechanisms-by-turkey-government/

[21] ‘Abuse of the Interpol system by Turkey’, Stockholm Center for Freedom, September 2017, https://stockholmcf.org/wp-content/uploads/2017/09/Abuse-Of-The-Interpol-System-By-Turkey_September-20-2017.pdf

[22] General Secretariat of the Council, ‘Interoperability and the visa procedure – Possible implications of interoperability on the daily work of the consulates – Presentations’, WK 8371/2019 INIT, 10 July 2019, http://statewatch.org/news/2019/aug/eu-counvcil-interop-visas-WK-8371-19.pdf

[23]  Commission Implementing Decision on the technical rules for creating links between data from different EU information systems, https://ec.europa.eu/transparency/regcomitology/index.cfm?do=search.documentdetail&Dos_ID=18686&ds_id=65379&version=1&page=1

[24] Presidency of the Council, ‘Structure and main principles of the roadmap for standardisation for data quality purposes – Presidency discussion paper’, 7125/20, 15 April 2020, https://data.consilium.europa.eu/doc/document/ST-7125-2020-INIT/en/pdf

[25] European Union Agency for Fundamental Rights, ‘Under watchful eyes: biometrics, EU IT systems and fundamental rights’, 2018, p.96, https://fra.europa.eu/sites/default/files/fra_uploads/fra-2018-biometrics-fundamental-rights-eu_en.pdf

[26] European Court of Auditors, ‘EU information systems supporting border control – a strong tool, but more focus needed on timely and complete data’, 2019, https://www.eca.europa.eu/Lists/ECADocuments/SR19_20/SR_Border_control_EN.pdf

[27] Article 37, Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems, https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32019R0817#d1e2990-27-1

[28]  Commission Implementing Decision laying down the details of the automated data quality control mechanisms and procedures, the common data quality indicators and the minimum quality standards for storage of data in the EES, VIS, ETIAS, SIS, the shared BMS and the CIR, pursuant to Article 37(4) of Regulation (EU) 2019/817 of the European Parliament and of the Council, https://ec.europa.eu/transparency/regcomitology/index.cfm?do=search.documentdetail&Dos_ID=18907&ds_id=66033&version=1&page=1

[29] ‘Visa Information System: private companies gathering data, insufficient funding for data protection’, Statewatch News, November 2015, http://database.statewatch.org/article.asp?aid=35780

[30] European Union Agency for Fundamental Rights, ‘Preventing unlawful profiling today and in the future: a guide’, 2018, https://fra.europa.eu/sites/default/files/fra_uploads/fra-2018-preventing-unlawful-profiling-guide_en.pdf

[31] Petra Molnar and Lex Gill, ‘Bots at the gate: a human rights analysis of automated decision-making in Canada’s immigration and refugee system’, September 2018, p.4, https://citizenlab.ca/2018/09/bots-at-the-gate-human-rights-analysis-automated-decision-making-in-canadas-immigration-refugee-system/

[32] Susie Alegre, Juliean Jeandesboz, Niovi Vavoula, ‘European Travel Information and Authorisation System (ETIAS): Border management, fundamental rights and data protection’, 18 May 2017, https://www.europarl.europa.eu/thinktank/en/document.html?reference=IPOL_STU(2017)583148

[33] ‘Preventing unlawful profiling today and in the future: a guide’, p.12

[34] Robert Mackey, ‘Homeland Security Algorithm Revokes U.S. Visa of War Crimes Investigator Eyal Weizman’, The Intercept, 21 February 2020, https://theintercept.com/2020/02/20/homeland-security-algorithm-revokes-u-s-visa-war-crimes-investigator-eyal-weizman/

[35] ‘Bots at the gate’, p.1

[36] Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, https://eur-lex.europa.eu/eli/dir/2016/681/oj

[37] ‘Private jets exempt from data collection law pose crime risk’, Investigate Europe, July 2018, https://www.investigate-europe.eu/en/2018/private-jets-exempt-from-data-collection-law-pose-crime-risk/

[38] ‘No PNR’, https://nopnr.eu/en/home/

[39] ‘Legal action to challenge Home Office use of secret algorithm to assess visa applications’, Foxglove, October 2019, https://www.foxglove.org.uk/news/legal-challenge-home-office-secret-algorithm-visas

[40] Frances Webber, ‘The cradle or the grave? EU migration policy and human rights’, Statewatch Journal, vol. 23 no. 3/4, February 2014, http://database.statewatch.org/article.asp?aid=33154

[41] A report on the use of automated facial recognition technology by the UK’s Metropolitan Police found that there was a “presumption to intervene” when the system in use detected a match between an image on a police list and an individual in the street. https://48ba3m4eh2bf2sksp43rq8kk-wpengine.netdna-ssl.com/wp-content/uploads/2019/07/London-Met-Police-Trial-of-Facial-Recognition-Tech-Report.pdf

[42] eu-Lisa, ‘SIS II – 2019 statistics’, March 2020, https://www.eulisa.europa.eu/Publications/Reports/SIS%20II%20-%202019%20-%20Statistics.pdf

[43] Consolidated text: Council Common Position of 27 December 2001 on the application of specific measures to combat terrorism (2001/931/CFSP), https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02001E0931-20171115; Council Regulation (EC) No 881/2002 of 27 May 2002 imposing certain specific restrictive measures directed against certain persons and entities associated with Usama bin Laden, the Al-Qaida network and the Taliban, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002R0881

[44] Gavin Sullivan and Ben Hayes, ‘Blacklisted: Targeted sanctions, preemptive security and fundamental rights’, 2009, http://www.statewatch.org/news/2010/dec/eu-ecchr-blacklisted-report.pdf

[45] Matthias Monroy, ‘EU opens its biggest database for secret services from third countries’, 4 May 2020, https://digit.site36.net/2020/05/04/eu-opens-its-biggest-database-for-secret-services-from-third-countries/

[46] Article 9a, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52018PC0302

[47] Article 34, Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS), https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32018R1240

[48] https://www.europarl.europa.eu/thinktank/en/document.html?reference=IPOL_STU(2017)583148

[49] Article 35(1)(a), Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EC) No 767/2008, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32018R1240

[50] Personal data processing by member states’ law enforcement authorities is governed by national law and the EU’s ‘Law Enforcement Directive’ (Directive 2016/680). Personal data processing by Europol is governed by the Europol Regulation (2016/794) as well as Regulation 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies.

[51] “The Commission shall, by means of implementing acts, establish the technical specifications of the ETIAS watchlist and of that assessment tool.” Article 35(7), Regulation (EU) 2018/1240, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32018R1240

[52] European Commission, ‘Complete statistics on short-stay visas issued by the Schengen States’, https://ec.europa.eu/home-affairs/what-we-do/policies/borders-and-visas/visa-policy_en#stats

[53] Francesca Zampagni, ‘Unpacking the Schengen Visa Regime. A Study on Bureaucrats and Discretion in an Italian Consulate’, Journal of Borderland Studies, 31(2), 2016, pp.251-266 https://doi.org/10.1080/08865655.2016.1174605

[54] https://wikileaks.org/plusd/cables/04BRUSSELS4844_a.html

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error