Both at the external EU borders, such as Greece and Italy, and the internal ones amongst EU Member States, we have witnessed a dispersion of the border, through its digitalization. This banalization of data collection, to which COVID-19 related measures have also contributed, has led to a re-definition of the symbolic border, also from a legal viewpoint. Henceforth, numerous questions have been raised regarding the legitimacy of these measures, as well as their repercussions on fundamental human rights.

In light of the above, Dr Niovi Vavoula, a Senior Lecturer in Migration and Security, specialising in EU immigration, criminal and privacy law at Queen Mary University of London, answered some of our questions, seeking to unveil the process behind further border digitalization as well as its legal implications.

Dr. Vavoula is an analyst for EU Live and affiliated to Statewatch to which she regularly contributes with short analyses. She was previously a visiting scholar at ULB - Université Libre de Bruxelles (2014), George Washington University (2022 – Society of Legal Scholars Grantee) and European University Institute (EUI) (2022). Between 2017-2018 she was Post-Doctoral Research Assistant at Queen Mary, University of London and taught EU Law at the London School of Economics and Political Science (LSE).

During the past three years, we have witnessed the emergence of a new form of governance, initially aimed at controlling human mobility to contain the pandemic and progressively expanding to migration control issues. In particular, border digitalization is reaching a new level, which was unthinkable before. Do you believe that this process will continue after the end of the pandemic? How will it affect borders in general?

Niovi Vavoula – This trend is particularly interesting, especially since it is exemplified by other microtrends. Essentially, we have seen that governments consider mobility a matter of state interest. As a result, both minor mobility events, such as going to a pharmacy or a supermarket, as well as major mobility events, have become prominent state issues - even within the Schengen area. This is clearly exemplified by the different strategies adopted during the lockdowns: in Greece, for instance, people had to send SMS messages in order to be authorised to step outside of their homes, a measure that has been adopted in Cyprus as well. In a similar vein, health data have become part of state interest. Additionally, border crossing or even travelling within the EU has become a complicated procedure, requiring a series of prior authorization and documentation to be submitted in advance to private actors, who are being co-opted in policing the mobility of individuals. The digitalization process is presented as the panacea used to treat all the problems related to monitoring mobility, both on a local, regional, and national levels: the border is rendered omnipresent.

This situation has also made people quite numb towards the collection of their data: personal data are automatically labelled as state data that can be demanded and collected despite representing particularly sensitive information - such as health data, personal contacts, or the information collected through the Passenger Location Form every time a flight is booked. During the pandemic, people have been routinely brought to think that the growing collection of data is obviously a matter of concern for the state, banalizing it. This trend is both interesting and dangerous: if individuals accept the fact that their data can be asked by the state at any point, their sphere of privacy shrinks, potentially further legitimising a priori pervasive data collection and processing mechanisms that have very little to do with the containment of the pandemic.

In your viewpoint, in which ways does this pervasive digitalisation of surveillance affect fundamental rights?

NV –  When we talk about digitalization and digital systems, obviously the first rights that come to everyone’s mind are privacy and data protection, the first layer of interference. In my viewpoint, it is only the gateway. Opening the floodgate, various rights also come into play, such as the right to seek international protection. Moreover, especially when we speak about automated or semi-automated decision-making, and notably through the use of algorithmic profiling, also the principle of non-discrimination comes into play very prominently.

Digitalization, along with the digital interconnected systems that buy data from one state and influence decisions taken on another one, also call into question the right to an effective remedy: how can an individual challenge a decision based on data extracted from different sources, in which forum, and how effectively can this be done?

The access to a legal remedy is thus key. Within this framework, how could someone bring a case before national Courts, with what evidence?

NV – Evelien Brouwer has conducted a lot of research on legal remedies and the information systems that are currently operational, the SIS, the VIS and EURODAC. Her work has demonstrated that judicial remedies are not effective, as it is very difficult to challenge on a national level individual decisions that have led to the issuance of an alert. Because of the mutual trust principle, a state decision to submit an alert needs to be respected by other Member states and can therefore lead to a refusal of entry or refusal of stay. Hence, it is very difficult to challenge an alert inserted in the system, even when it is abusive.

In relation to EURODAC, I am looking into the possibility of challenging incorrect data inserted by other Member states. My research has shown that the threshold for judicial review is particularly high, and that there must be a significant reason to trigger it. One such reason is the wrong categorization leading to incorrect storage of data: for example, when an individual has been categorised as an asylum seeker while being an undocumented migrant, or vice versa. Individuals subjected to wrongful categorizations can potentially challenge them on the territory of another Member state, because the errors are considered of utmost importance. However, other irregularities that have taken place in one Member state, for instance during the provision of information or during the fingerprinting process, cannot be challenged. It follows from the above that there is, to this day, a lack of effective remedies.

Going beyond data protection and privacy issues, which do you think is the most problematic impact of the digitalization process of borders and surveillance?

NV – Digitalization is two-dimensional. While I am known to be very critical of digitalization, it is important to highlight both the positive and the dark sides of digitalization. The positive side is that digitalization creates visibility. If a person is tracked, and their personal data have been collected, processed, and stored, it is difficult for the state not to take account of that person. Visibility limits the discretion of the state to take arbitrary decisions, such as pushbacks. This can contribute to state accountability, especially in light of what we see nowadays regarding Frontex implications in illegal pushbacks, in Greece and elsewhere.

Simultaneously, visibility creates the appetite for the authorities to prevent entries in the EU territory as early as possible, before having the obligation to digitally track and collect the data. As a result, digitalisation can also prevent the subjection of the individual to EU law. Thus, it enables authorities to know where to look up in order to find out who is about to enter state territory, as early as possible, so that these people will not become a matter of state concern. This has, as we can appreciate, implications beyond privacy: not being given the opportunity of entry due to surveillance systems showing the exact position of a person or monitoring social media is even more detrimental. From that perspective, digitalization enables entry prevention, the visibility of individuals, and can lead to illegal refoulement.

From a surveillance perspective, there are also implications on the right to privacy through social media monitoring, confiscation of phones, and the tracking of the individuals’ movement upon arrival. This can also be disproportionate and can have very serious implications. When an individual does not have a sphere of private life there is absolutely no expectation of privacy, not only regarding personal data but even personal relations - e.g. family photographs, contacts etc.

And how about private actors? Do you see them having a role in this situation?

NV – Absolutely, there are different roles in which private actors have been co-opted. Firstly, from a policy perspective. The industry essentially dictates which technologies can be used in migration and border control, what is needed and how new tools should be implemented. This has been termed as “gritty information technology”. Simultaneously, private actors are co-opted in migration control not only in the design of such technologies, but in actually doing the job. We see that for instance with the PNR, where the private actor’s data is being stored and sent to the passenger information units. Similarly, the entry exit systems, the ETIAS and the VIS information systems, which allow private companies - e.g. flight companies - access to their databases, in order to check whether the documentation that a person has corresponds with the registered data. 1

Besides private actors, the role of other security actors as bureaucrats and border officers should be discussed as well. According to the literature – we mainly have the work of Rozakou in mind2 – their competencies and their autonomy are continuously extending, making them key actors in the “border play”. What do you think the growing reliance on border officers is going to entail?

NV – This is a huge problem that, unfortunately, cannot be addressed on an EU level: Member states have in fact significant procedural autonomy here, and are competent to decide which actors and authorities hold what kind of responsibilities and powers in asylum and migration control issues. In some cases, police authorities themselves are responsible for the identification, registration, and identity checks. Obviously, this is extremely problematic since it provides different immunities, which are simply incompatible with the administrative nature of asylum and migration law. The effects of the consequent fusion of mandates and responsibilities between immigration and law enforcement are now largely documented in the literature. First of all, such a merger creates a number of frictions: if migrant people are to be treated as criminals (which is what happens when police authorities are responsible for the procedures), they need to enjoy the procedural guarantees provided by criminal law, which remain absent in migration law. The consequence is a worrying mismatch between procedures, actors, and safeguards, resulting in a grey area between administrative and criminal law.

Do you believe that such frictions enhance the biopolitical dimension of digital border governance? Moving from here, do you consider that digitalization is promoting a “de-humanisation” process that risks interfering with the very notion of human dignity?

NV – The biopolitical dimension of digitalization is extremely prominent. Digitalization is, in fact, based on social sorting and on the categorization of third-country nationals into risk levels, estimated from the processing of their personal data. Consequently, individuals are made visible only if and when their personal data are grouped, sorted, interconnected, and used to make assumptions based on previous data. This process starts in the country of origin and continues along the transit territories: it does not simply happen at the borders, but rather in extremely wide areas. By treating the individual as a source of information that can be extracted, managed, and reviewed, the third-country national becomes data, broken down into figures describing physical characteristics, behaviour, emotions, as well as biographical and travel information. This is dehumanising, as the person is reduced to the sum of the data collected.

Furthermore, this mode of governance is based on the so-called “new gold” represented by extracted data, meaning that states are keen to use (almost) every possible means in order to collect them – even when it entails a violation of the dignity of a person. Fingerprinting, for instance, is essential: if people do not accept having their fingerprints taken, they might end up in detention or even be forced to provide their biometric data, potentially even if they are minors. By law, such a process should be voluntary, as made clear by the EURODAC Regulation. In practice, however, this is not the case: human dignity is thus not respected nor accounted for in the process.

You have worked extensively on the EURODAC system, and on how the latter has been transformed from a tool against “asylum-shopping” to a real policy tool of the EU. Could you describe this transformation?

NV – EURODAC started as a very limited tool for the administration of the Dublin system, essentially for the registration of asylum seekers. Still, this process takes place primarily on a national level: states decide by national law what kind of data to collect and how to assess situations of vulnerability. In the beginning, EURODAC required the fingerprinting of asylum seekers to determine whether they applied for asylum in another country, or – in the case of irregular migrants – if they had already entered a different EU country. The system was thus integrated into a very specific context, with a limited purpose: for this reason, it only collected a limited amount of data (fingerprints, time, and place of the collection of such data). Because of these limits in purposes and data collection, when VIS and SIS were developed, EURODAC remained the “ugly duck” of databases: a circumstance that had to be promptly changed.

The first opening up of EURODAC concerned the possibility of using its data for law enforcement purposes, raising several concerns and critiques. Moreover, since 2016, in the aftermath of the “refugee crisis”, many discussions have taken place, with the aim of broadening the scope of EURODAC beyond asylum, to include more general migration management purposes. The main reasons provided were two-fold: first, it was considered advisable to avoid the exclusive use of EURODAC within the (clearly non-efficient) Dublin system, as it would have delegitimized the database. Second, the unfolded potential of EURODAC in identification processes and the repatriation procedures was considered wasteful.

Today, EURODAC is used without differences for asylum seekers, refugees, and some categories of migrants, but it is more than likely that in the future it will be also used for other forms of protection – think for instance of protection granted on humanitarian grounds and on the temporary protection recognized to people fleeing Ukraine.

With databases such as EURODAC growing in their scope, are national, European, and international legislations keeping pace in order to develop adequate safeguards, and prevent forms of abuse?

NV – In a nutshell: no. This is an area where there are several layers of concern. First of all, there is a significant lack of expertise, even among specialists. On the one hand, data protection scholars are not aware of the specificities of migration law and its procedures; on the other hand, migration scholars that are on the ground and have the advantage of being in direct contact with people suffering human rights violations are not data protection experts, and can thus provide only limited support. It would be crucial to bridge these two fields: because of the proliferation of systems and of the shifting and changing nature of borders it would be key to find a common language.

Furthermore, there are many criticalities also with regard to access to justice. If a person has been denied entry before passing the border, for example, because their visa has been denied, (potentially thanks to risk alerts resulting from the analysis of their personal data), which Court should they refer to in order to have their rights respected? Essentially, access to justice can only take place after access to the territory is granted. Outside of the territory, viable correctives could come from monitoring mechanisms ensuring that individual complaints are adequately handled. However, such mechanisms do not currently exist in EU law. Of course, in order to make them work, the necessary political will would be required, so that they do not end up like the notoriously inadequate Frontex monitoring mechanism. These are increasingly vital questions also considering the growing interoperability among systems.

To conclude, we would need more avenues for the judicial or extrajudicial revert. However, they should be thought of and designed strategically, anticipating how such systems are going to be used in practice.

You mentioned the importance of interoperability. In addition to the risks that we have already discussed, do you see other issues that should be mentioned?

NV – There are many possible interferences, at many levels. The problem with interoperability is that, unless it becomes fully operational, we cannot see the full extent of its potential consequences for individuals. Today, there are still many systems in the migration domain that will, in the future, be connected with information systems in different fields, such as law enforcement systems. As a result, any mistake existing in the system would be significantly enhanced, creating false matches, connections, and assumptions. Moreover, because of the complexity of such mechanisms, it is going to be increasingly difficult to assure the respect of individual rights.

Further concerns arise around Article 20 of the Interoperability Regulation. In a nutshell, the latter enables police authorities to use the Common Identity Repository, and randomly check individuals, as regulated under national law, in order to verify whether people who look like foreigners are already present in the system. Of course, this process is highly problematic and discriminatory. In conclusion, interoperability changes the conditions under which one can access the systems. If individual systems can be used for law enforcement purposes, within the interoperability framework, specific conditions regulating access to each system can be torn out, enabling access by default to police officers. In the future, officers will have to explain ex-post why they need to access a system, while this process should happen before the data is accessed: another wall between law enforcement and migration will fall, making the distinction between the two even more liable.

This raises once again the importance of the relation between human actors and the systems, the overall “socio-technical assemblage”. Do you think that the role of human actors in smart borders is becoming more marginal (for instance, in terms of the reduction of spaces of discretion) or more meaningful?

NV – Apparently, different studies show that there is a tendency according to which some people prefer having a machine taking a decision on them because they consider that it would be fairer and less discriminatory. I believe this is only a myth created by scientists: every automated and intelligent decision system is built on prior decisions, which have been made by humans – and which are discriminatory. Algorithms in themselves will not make decisions fairer. Whether the human is in or out of the loop, human decision-making remains there. What I see is a vicious circle: there will be growing reliance on what the machine says (this is called automation bias), while the human in the loop will be bound to replicate the discriminatory approach promoted by algorithms (that have themselves been developed based on past discriminatory human behavior).

To conclude, we would like to ask how you understand and interpret the relationship between “physical” borders and digital ones. In critical border studies, there exist different approaches to the issue: some scholars argue that smart borders have replaced physical ones, others that they have transformed them, or that they function as a complementary “frontier”. Where do you stand in this debate?

NV – There is no substitution: the physical border remains there, it is a very crucial part of the social sorting taking place at the frontier. However, also talking about complementarity can be misleading. There is in fact a clear prominence of digital borders. Moreover, also the “distant border” should be taken into account: it is the externalised border, starting in the country of origin and ending up within the territory of the Member states. The border has transformed not only from physical to digital, but it has also changed in geographic terms, with grey areas emerging everywhere. Furthermore, it should be recalled that the person carries the border throughout all the travel: their biometric data could be collected at any time. The most important change in my opinion is exactly this: the obstacle to movement, the border, enters the body.

1 ETIAS stands for European Travel Information and Authorization System. It is a completely electronic system that allows and keeps track of visitors from countries who do not need a visa to enter the Schengen Zone. This travel authorization system will gather, keep track of, and update necessary information regarding visitors to determine whether it is safe for them to enter Schengen countries. The Visa Information System (VIS) is a computerised system for sharing data on visas for entry into the Schengen Area between the states that are part of it. It contains personal information, including fingerprints, about those who apply for a visitor’s visa and the name and address of the person or organisation who has invited them.

2 Rozakou, Katerina. (2017). Nonrecording the “European refugee crisis” in Greece: Navigating through irregular bureaucracy. Focaal. 2017. 10.3167/fcl.2017.770104.

Cover image generated by Stable Diffusion prompted with "Borders, technologies, databases, challenges in migration" and some extra style tweaks.