The Registration of Beneficiaries of Temporary Protection: Eurodac to the Rescue?

Forum on the EU Temporary Protection Responses to the Ukraine War 

Contribution by Niovi Vavoula, Lecturer (Assistant Professor) in Migration and Security, Queen Mary, University of London

25 August 2022

  1. Introduction

The Russian invasion in Ukraine has brought to the fore numerous legal issues regarding the protection of Ukrainian nationals, but an aspect that has gone (almost) under the radar is whether Ukrainians beneficiaries of temporary protection should have their personal data collected and stored at supranational level in an EU large-scale information system, namely Eurodac. This contribution aims to critically appraise this expansion of the Eurodac scope to include personal data collected by beneficiaries of temporary protection. I will do by first providing a concise overview of the existing Eurodac rules and those under negotiations, via two Commission proposals in 2016 and then in 2020. Then, I will provide the context within which Eurodac’s scope will be extended and the corresponding revisions proposed by the Councl following by critical reflections on this reform.

  1. Eurodac in a Nutshell

Operational in 32 countries since 2003, Eurodac is an EU-wide information system that primarily processes the fingerprints of asylum seekers and certain categories of irregular migrants, namely irregular migrants apprehended in connection with their irregular border crossing and irregularly staying migrants. Eurodac was initially designed to assist in the implementation of the Dublin system for the determination of the Member State responsible for examining an application for international protection. In what has been one of the thorniest issues regarding the operation of Eurodac, in 2013 a recast Eurodac Regulation (Regulation (EU) 2013/603) was adopted (and remains applicable to date), the aim of which was mainly to allow law enforcement authorities and Europol to conduct comparisons of their data with Eurodac fingerprints under specific conditions, for the purpose of preventing, detecting, and investigating terrorist offences and other serious crimes (for further information see here).

In the asylum context, Eurodac’s aim is to track secondary movement in the EU by obliging Member States to collect the fingerprints of every asylum seeker over the age of 14 when they apply for international protection. These are compared with fingerprints already transmitted and stored by other participating countries. A match is presumed to mean that another Member State has already recorded the applicant’s fingerprints and that state could be requested to take back the asylum applicant on the basis of Dublin rules. Furthermore, under the Eurodac rules, Member States must collect the fingerprints of all third-country nationals apprehended in connection with the irregular crossing by land, sea or air. In addition, third-country nationals who are found illegally present on national territory, their fingerprints can also be collected and checked against Eurodac to determine whether they have previously applied for international protection in another Member State. However, under the current rules, there is no obligation for Member States to undertake this procedure.

Eurodac fingerprinting does not determine the identity of a person per se, though it does contribute to their identification, because a link may be established between an applicant and a past Eurodac entry, which is verifiable through information sharing between the state that conducts the check and the state that made a past Eurodac entry. The retention period of asylum seekers’ fingerprints is 10 years. The retention period for storing the data of irregular border-crossers is eighteen months, given that according to the Dublin rules the time period for which a Member State is responsible for dealing with an asylum application is one year. Fingerprints collected from beneficiaries of international protection are neither automatically blocked nor deleted, but ‘marked’ for a period of three years. This means that these data must remain at the disposal of national authorities for both asylum and law enforcement purposes and, upon the expiry of the three-year period they are blocked until their erasure.

When the recast Eurodac Regulation came into effect, the influx of refugees and migrants into the EU was increasing. Certain Member States became overwhelmed with the obligation of fingerprinting those that arrived at the external borders; these individuals then further transited through the EU en route to their preferred destination.  On 4 May 2016, the Commission adopted a recast proposal, which formed part of the broader reform of CEAS, essentially detaching Eurodac from its asylum framework and repackaging it as a tool to pursue ‘wider immigration purposes’, including the return of irregular migrants.

Eurodac was considered by the Commission to be potentially useful in situations where Member States face problems in identifying irregular migrants found on national territory who use deceptive means to avoid identification and to frustrate the procedures for re-documentation in view of their return and readmission. The proposal marked a landmark change in Eurodac’s purpose, based on a deflection continuum, whereby the expulsion and non-protection of third-country nationals who may seek international protection is not only undesired, but more worryingly pre-empted. The transformation of Eurodac has been sweeping, including additional categories of personal data including a facial image, lowering the fingerprinting age to six years, increase in the retention of irregular border crossers’ data from 18 months to 5 years and possibility of transfers of Eurodac data for return purposes. These reforms have been criticised about their necessity and proportionality, in view of the detachment of Eurodac from its asylum context to pursue wider migration purposes and the potential that asylum seekers’ data will be used essentially ‘against’ them in order to prove their identity for the purposes of removal.

The negotiations on that proposal led to an interinstitutional agreement between the co-legislators in 2018. During the negotiations additional aspects were agreed: increased safeguards for the capturing of minors’ biometric data, lowering certain standards for law enforcement access and inserting within the scope of Eurodac beneficiaries of humanitarian admission or national resettlement schemes. Due to the deadlock in reaching an agreement to the whole package of legislative measures, no revised Regulation was formally adopted.

Then, on 23 September 2020, the Commission proposed further amendments to the Eurodac regime, in the framework of the New Pact on Migration and Asylum, which essentially will transform the system from a digital sidekick of the Dublin system into a tool in support of EU policies on asylum, resettlement and irregular migration. Following the sweeping overhaul of the Eurodac changes via the 2016 proposal, the proposed changes have been rather modest here and essentially aim to ensure consistency between Eurodac and the pre-entry screening rules in accordance with the Proposal for a Screening Regulation; and the addition of information as to whether the individual in question is a rejected asylum applicant, a visa holder, a voluntary return and reintegration assistance (AVRR) grantee or an internal security threat. Also, individuals who have been rescued following a Search and Rescue (SAR) operation will be registered under a different category (for an analysis see here). On 22nd June 2022, the Council approved negotiating mandate on the Eurodac dossier with the aim for interinstitutional negotiations to take place in autumn.

  1. The Inclusion of (Ukrainian) Beneficiaries of Temporary Protection within the Scope of Eurodac

Amidst the negotiations of the revised Eurodac proposal, the war in Ukraine started necessitating speedy response to the displacement crisis. Following the activation of the Council Directive 2001/55/EC (Temporary Protection Directive), in accordance with Council Implementing Decision 2022/382 establishing the existence of a mass influx of displaced persons from Ukraine, the Commission published Guidelines on the implementation of the Decision.

The Guidelines focused among others on the registration of personal data under Article 10 of the Temporary Protection Directive which obliges Member States to register the personal data (name, nationality, date and place of birth, marital status, and family relationship) of the persons enjoying temporary protection on their territory laid down in Annex II. The Commission explained that in this process Members States should consult relevant international, EU and national databases during their checks and investigations, and in particular the alerts on persons and documents in the Schengen Information System (SIS).

As there is no legal basis for registering beneficiaries of temporary protection in any EU large-scale IT system, the Commission advised Member States to register these persons in their national registers for foreigners or other national registers. Member States should not register any other personal data than those covered by Annex II, which as it will be explained later, it does not offer much guidance due to vague and contradictory wording of the Temporary Protection Directive. Already at this stage, the Commission recognised this arrangement as a challenge because it limits the capacity of exchanging information, which can only take place bilaterally via DubliNet, for example to trace and detect if the same person is benefiting from the rights attached to temporary protection in more than one Member State.

In the extraordinary Justice and Home Affairs Council of 28 March 2022, a 10-Point-Plan for stronger European coordination on welcoming people fleeing the war from Ukraine, was agreed. Among its priorities was the establishment of an EU platform for registration was prioritised to enable Member States to exchange information to ensure that people enjoying temporary protection or adequate protection under national law can effectively benefit from their rights in all Member States, while addressing instances of double or multiple registrations and limiting possible abuse. This technical solution, which was developed by the Commission and implemented by eu-LISA, was launched on 31 May 2022.

Adapting Eurodac by adding within its personal scope beneficiaries of temporary protection as a new category takes cue from the efforts to ensure registration of Ukrainians fleeing the war. The expansion of the Eurodac scope signifies that beneficiaries of temporary protection will be subject to the same (revised) requirements of collection and storage of personal data. The idea behind this reform has been presented as directly linked to Article 10 of the Temporary Protection Directive according to which Member States must register a series of personal data referred to in Annex II of the Directive with respect to the persons enjoying temporary protection on their territory. Articles 26 and 27 of the Temporary Protection Directive specify the purposes of this registration obligation, in particular the exchange of information between Member States, including in view of the transfer of a beneficiary of temporary protection from one Member State to another.  Besides, relocation perhaps seeks to detect and prevent further secondary movements.

As revealed by Statewatch, the French Presidency proposed expanding the Eurodac database even further, to include beneficiaries of temporary protection on 29 April 2022 and received explicit support by a number of Member States (Austria, Bulgaria and Germany). Others, notably Hungary and Poland, strongly opposed this extension because the universal application of the registration requirement would precisely cover Ukrainian beneficiaries of temporary protection and thus, they requested an exemption of the personal scope. Another source of concern involved the 72-hour timeframe for transmitting the collected personal data to the Central System of Eurodac and to the Common Identity Repository (CIR) – a new database with certain personal data from all the underlying systems except the SIS. The Polish representation, which has received almost two million Ukrainian refugees, took the view that in the context of the experience resulting from Russia’s aggression against Ukraine and the flow of people to countries bordering Ukraine, the proposal should be considered as ‘unrealistic’. This is because the introduction of a new category of persons to be registered in Eurodac with the same deadlines as those applicable for asylum seekers is ‘practicable impossible to be performed due to the limited human resources and the Automated Fingerprint Identification System (AFIS) under which the Eurodac Interface operates, which is not intended to allow such volume of data to flow’. This view is in striking contrast with their persisting position requiring EU Member States such as Greece to do precisely what they deem unrealistic to do.

In the end, the Council General Approach of 22 June 2022 to a large extent addresses these concerns: the new category of beneficiaries of temporary protection was included, with the understanding that this reform will not apply to persons displaced by the war in Ukraine, given that their registration is in any case handled by the technical platform designed by the Commission and eu-LISA In that regard, a last sentence in Article 47 of the revised Eurodac Regulation explains that the Eurodac rules ‘will not apply to those persons benefiting from temporary protection pursuant to Council Implementing Decision 2022/382, and any other equivalent national protection taken pursuant thereto, any future amendments to Council Implementing Decision 2022/382, and any extensions thereto’. Beneficiaries of temporary protection are not limited to those defined in the Temporary Protection Directive, but it will include those benefiting from any other equivalent national protection introduced in response to the same event.

To curb concerns about the feasibility of these registration requirements, Article 14c(2) of the General Approach introduces a 10-day deadline for submission of the relevant data to the Central System and CIR. The registration as a beneficiary of temporary protection will follow the possible apprehension of the person in connection with the irregular crossing of the external borders, irregularly staying on national territory or disembarkation following a search and rescue operation, which are the other categories under which third-country nationals are recorded under Eurodac rules. This means that in the future the registration of a beneficiary of temporary protection – except Ukrainians who are, as mentioned above, excluded – does not exempt Member States to register those persons first under those other categories, depending on which it will apply. The proposed retention period of those data is three years from the date of the entry into force of the relevant Council Implementing Decision activating the Temporary Protection Directive rules.

  1. Critical Reflections on Eurodac’s Expansion

The rationale behind this expansion is very unclear and does not sit well with the Temporary Protection Directive with which it is linked. Article 10 of the latter indeed stipulates that in order to enable the effective application of the Council Decision recognising the existence of a mass influx of displaced persons, Member States must register the personal data referred to in Annex II with respect to the persons enjoying temporary protection on their territory. Annex II confusingly states that the information ‘includes to the extent necessary one or more of the following documents or data’ (emphasis added):

 (a) personal data on the person concerned (name, nationality, date and place of birth, marital status, family relationship);

(b) identity documents and travel documents of the person concerned;

(c) documents concerning evidence of family ties (marriage certificate, birth certificate, certificate of adoption);

(d) other information essential to establish the person’s identity or family relationship;

(e) residence permits, visas or residence permit refusal decisions issued to the person concerned by the Member State, and documents forming the basis of decisions;

(f) residence permit and visa applications lodged by the person concerned and pending in the Member State, and the stage reached in the processing of these.

Annex II therefore does not provide a fixed, exhaustive list of information to be collected at the national level, but leaves discretion to the Member States to decide what is necessary (and also available). In turn, according to the proposed rules, in relation to beneficiaries of temporary protection Eurodac will stored very similar categories of personal data, namely:

(a) fingerprints;

(b) a facial image;

(c) surname(s) and forename(s), name(s) at birth and previously used names and any aliases, which may be entered separately;

(d) nationality(ies);

(e) date of birth;

(f) place of birth;

(g) Member State of origin, place and date of registration as beneficiary of temporary protection;

(h) sex;

(i) where available, the type and number of identity or travel document, the three letter code of the issuing country and expiry date;

(j) where available, a scanned colour copy of an identity or travel document along with an indication of its authenticity or, where unavailable, another document

(k) reference number used by the Member State of origin;

(j) date on which the biometric data were taken;

(k) date on which the data were transmitted to the Central System and to the CIR as appropriate;

(l) operator user ID;

(m) where relevant, the fact that the person previously registered as beneficiary of temporary protection falls under one of the exclusion grounds pursuant to Article 28 of Directive 2001/55/CE;

(n) reference of the relevant Council Implementing Decision.

Juxtaposing the two lists demonstrates that the categories of personal data only partly correspond to one another; this disconnection though may be forgiven considering that Annex II does not provide fixed categories of personal data that should be collected at national level and that in any case Eurodac does not store some categories of personal data, such as family relationship, or other documents. The collection of biometric data is also not mandated under the Temporary Protection Directive, although one might counter argue that ‘other information essential to establish the person’s identity’ may include biometric identifies such as fingerprints and facial images.

The disconnect between Eurodac and the Temporary Protection Directive is also evident from the fact that the purpose of collection of personal data under Article 10 relates to exchanges of personal data among Member States in the context of transfers of beneficiaries of temporary protection in accordance with Article 26. Facilitating the exchanges of information for the purposes of detecting temporary protection shopping is not among the objectives of data exchanges. Consequently, to use Article 10 as a justification for expanding the Eurodac scope and inserting the implementation of the Temporary Protection Directive as one of the objectives of Eurodac sits at odds with the wording and the spirit of the Directive.

Besides, evidence about beneficiaries of temporary protection moving across EU Member States is scarce and it could be argued that Ukrainian refugees could perhaps be more interested in remaining in neighbouring countries in anticipation that the war is over and they return to their homes. Furthermore, to maintain a balance of responsibility among EU Member States free onward movement of Ukrainian refugees could actually be an ideal solution, which was what the Commission argued in its proposal to activate the Temporary Protection Directive. It appears that this is a pre-emptive approach future-proofing the legislations as ‘further issues of registration of potential beneficiaries of temporary protection should be anticipated’ without any discussion as to what these can be.

Furthermore, the Temporary Protection Directive was adopted in 2001, at the time when the original Eurodac Regulation had already been adopted; however, there was a distinct period where the negotiations for the two instruments were overlapping. To the best of my knowledge there had not been any discussion to include third-country nationals who are beneficiaries of temporary protection within the scope of Eurodac, which was at the time only to serve Dublin-related purposes. The disentanglement of Eurodac from its Dublin origins and its rebranding as a multi-purpose tool has allowed to bring those individuals who have evaded having their personal data collected and stored at EU level within the Eurodac scope, in the rather uneasy manner that was explained above. Even so, it could be inferred that Eurodac was never meant to cover this group of people.

As explained by Ineli-Ciger, until this year the Temporary Protection Directive had not been activated; even the Commission had proposed to replace it and proposed as part of its New Pact on Migration and Asylum to introduce ‘immediate protection’ in the Proposal for a Regulation addressing situations of crisis and force majeure in the field of migration and asylum, instead. However, beneficiaries of such immediate protection were not to be registered in Eurodac under a separate category. This is presumably because the applicants would first have to apply for international protection, and thus go through the Eurodac rules as such anyway, and then the Member States could apply the asylum crisis management procedure. This presumption though is rather weak; as explained earlier, the fact that beneficiaries of temporary protection will be registered as beneficiaries of temporary protection does not mean that they will also not be registered under another category. The 2020 Eurodac proposal did not even foresee that in connection with individuals who would be offered immediate protection an indication or a reference in the system would be included.

In addition, one could also wonder whether the expansion of the Eurodac scope is necessary considering that Ukrainians nationals – the only beneficiaries of temporary protection in the 20 years of the Temporary Protection Directive’s life – will actually be excluded from its scope owing to the creation of the technical platform. In other words, the displacement in Ukraine has been simply an excuse for further expanding Eurodac’s scope. Eventually the Polish and Hungarian governments won leaving an uneven and unequal model of responsibility regarding the new reform of Eurodac obligations among EU Member States. Reading between the lines it could also be interpreted as meaning that there is potential for another activation of the Temporary Protection Directive in the future. However, future-proofing the legislation about future issues that may arise in connection with beneficiaries of temporary protection seems a rather remote and vague justification. The solution that was found through the technical platform has proved to be good enough and if in the future another such occasion would arise, a similar approach could be taken as well.

Finally, from a positive perspective, excluding Ukrainian nationals from Eurodac’s scope breaks a long-standing pattern of surveillance of movement of nearly the entire non-EU population with an administrative or criminal law link with the EU (see here). Ukraine is a visa-free country for entry into the EU, which means that Ukrainian nationals are free to cross the Union’s external borders for stays of no more than 90 days in any 180‑day period. It does however raise further questions about possible discrimination among different groups of third-country nationals considering the Ukrainians seem to benefit from a higher degree of privacy protection compared to other groups of people. Therefore, for now there is no database that contains personal data of visa free travellers, but by next year both the Entry/Exit System (EES) and the European Travel Information and Authorisation Systems (ETIAS) are set to become operational.

  1. Final Remarks

Overall, the relationship between the two pieces of legislation is rather uneasy with no alignment between the legislative instruments. Should this unnecessary and poorly justified revision be here to stay a number of unanswered questions must be settled during the negotiations: For example, how do the personal data collected under the Eurodac rules connect with those prescribed in Annex II; Is the three-year retention period proportionate? How do the different retention periods (e.g. as an irregular migrant and as a beneficiary of temporary protection) fit together? These issues are bound to pre-occupy the Parliament in autumn. In line with past efforts (already since the Slovenian Presidency of the second half of 2021) to speed up Eurodac negotiations, the Council General Approach essentially delinked the Eurodac dossier for the rest of the asylum reform in order to make it possible to start gathering more data on extended categories of people (in particular, undocumented migrants) without other new legislation being in place. It remains to be seen how the negotiations will progress in the near future.