At next week’s plenary session in Strasbourg, the European Parliament is expected to agree to start talks with national ministers in the Council and the European Commission on a new entry-exit system.

At the end of last month, MEPs in the justice, civil liberties and home affairs committee voted by 38 votes to seven, to approve a new scheme known as the ‘Smart Borders Package’ that will require biometric data for every non-EU person entering and exiting the Schengen area — even from children as young as 12 years.

First proposed by the European Commission back in 2013, the Smart Borders project initially envisaged the implementation of a registered travellers programme, whereby non-EU citizens who visit the bloc frequently would get an electronic card containing their relevant information. But the latest plans go far beyond that, allowing national security agencies and the EU’s law enforcement agency Europol to access the data when investigating serious crime or terrorism.

A tool in the fight against terrorism

According to those supporting the scheme, the new system could help the EU identify illegal immigrants, suspected terrorists and members of organized crime groups. Those opposed say it will do nothing of the sort.

Currently, citizens from almost all of north, south and middle America, as well as Australia, New Zealand, Japan, South Korea, the Balkans, Israel, Kiribati, Mauritius and Malaysia, are exempt from visas when visiting the EU. The new Smart Borders package will require them to hand over identifying biometric data including fingerprints and face scans.

Proponents say the new system will speed up border checks by replacing the stamping of passports with an electronic system that stores data on the traveller, which will also make it easier to detect over-stayers and document or identity fraud. Stamps can be hard to read are relatively easy to counterfeit. The electronic system will therefore modernise the monitoring of travellers to the EU.

“The scheme poses a serious risk for the fundamental rights to privacy and data protection of everyone travelling to and from Europe. But it won’t prevent irregular migration,” says Estelle Masse, senior policy analyst at digital rights organisation Access. The scheme is estimated to cost as much as €1 billion. That is an awful lot of money to spend for “nothing more than better statistics,” she added.

Spanish MEP Agustín Díaz de Mera who prepared the text for the civil liberties committee however, has described it as “an indispensable tool for the security of European citizens”.

“The system will help identify terrorists and record their travel histories within the Schengen area. Thanks to the new checks, we will better combat the irregular migration of people exceeding a legal period of stay,” he added.

The Commission originally proposed storing the data for five years. This was considered too long for MEPs in the committee, who suggested a maximum two-year data retention period.

They also want to ensure that the text is in line with the provisions of the General Data Protection Regulation (GDPR), for example by allowing the data subject the right to access his or her own data.

Sacrificing civil liberties

One of those who voted against the proposals, is vice chair of the parliamentary committee Jan Philipp Albrecht. Albrecht, who steered the sprawling GDPR through parliament, said: “The majority of committee members have today chosen to sacrifice fundamental civil liberties in the interests of looking tough on crime and terrorism. These measures are not only completely disproportionate, they would also prove to be highly expensive, and largely ineffective. By backing these proposals, conservative and social democrat MEPs are choosing to treat all tourists and business people as potential suspects. The scheme is estimated to cost as much as €1 billion, money that would be much more effectively spent on the people and resources needed to tackle genuine threats.”

MEP Marie-Christine Vergiat agrees: “This text poses a danger to the human rights of thousands of men, women and children and would result in a presumption of irregularity, including for vulnerable individuals if they fail to fulfil the necessary administrative obligations. It is a complicated issue whose scope is still far from being clear and easily understood.”

The European Data Protection Supervisor, Giovanni Buttarelli, says although he supports efforts to keep EU borders safe and secure, that cannot be at the expense of fundamental rights. The European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7) grant the right to privacy to everyone, whether they are EU citizens or not.

“The European Travel Information and Authorisation System (ETIAS) proposal involves collecting personal data from visa-exempted travellers to the EU and checking it against a dedicated ETIAS watchlist, screening rules and information stored in other EU databases. As the information gathered will be used to grant or deny individuals access to the EU, based on the migration, security or health risks they may pose, it is vital that the law clearly defines what these risks are and that reliable methods are used to determine in which cases they exist,” says Buttarelli.

He is particularly concerned about a profiling tool that would enable the ETIAS system to single out individuals suspected of posing a risk, saying it raises “serious technical, legal and ethical questions, related to their transparency and accuracy.”

The EU Fundamental Rights Agency (FRA) conducted a survey during a Smart Borders pilot that tested three different technical options for collecting biometric data: fingerprints, iris scanning and facial recognition.

Privacy concerns

One fifth of people participating in the pilot project found the collection of biometric data, including fingerprints, to be intrusive and humiliating.  FRA interviewed more than 1,200 non-EU nationals at seven land, sea and air border crossing points during the summer of 2015 to assess the impact on fundamental rights including the right to dignity, privacy, data protection, discrimination and right to information.

While most respondents were found to be comfortable with providing biometrics when crossing borders, iris scans were considered to be most intrusive. Many respondents were also concerned that if something goes wrong and the system does not function as expected, they would not be able to cross the border.

Half of the respondents further believed that errors in their personal data could not be easily corrected—something the GDPR is supposed to allow them to do.

Almost half of the respondents said they trusted the reliability of biometric technologies, while 21 percent did not. The remaining 32 percent did not know or cannot say. Almost a third said that only over 18s should be required to go through biometric checks, and around two thirds believe the technologies used to collect biometric data could harm their health or are uncertain on this issue.

Masse said that at the very least, the system should promote privacy-by-design tools, such as data shredding or encrypted storage, rather than establishing a massive database of sensitive information.