Biometric Data, Data Protection Authorities, and Migrants: A Complex Nexus

[Rocco Saverino is a Doctoral Researcher at the Vrije Universiteit Brussel, working on the ALTEP-DP project. He joined the Law, Science, Technology, and Society Research Group in July 2022.]

Introduction 

Article 1 of the Universal Declaration of Human Rights (UDHR) opens with an important statement: “All human beings are born free and equal in dignity and rights”.

This statement is as strong as it is idealistic and, unfortunately, far from reality. It is not the same thing to be born in a European country or one that is far away from war, famine, political and social instability, religious persecution, and poverty, as to be born in a country where it is like that from birth until the (premature) death of its population.

So, we should not be surprised that the number of migrants, especially from Africa and the Middle East to Europe has been growing in recent years. In Italy, in particular, there has been an almost threefold increase in the number of migrants arriving in the last three years, as can be seen from the graph published by the Italian Department of Public Security:

Although it may appear that the most difficult and complicated part is the sea crossing, people arriving on European shores are faced with another part of the journey that is no less important for their future: the identification and asylum application procedure. 
Leaving aside the technical aspects of the latter, what is addressed here are the critical issues that the identification procedure entails with respect to the protection of personal data enshrined in Article 8 of the EU Charter of Fundamental Rights (CDFUE) and especially in Regulation (EU)2016/679 (GDPR).

Health, Genetic, and Biometric Data
According to Article 4 of GDPR, personal data is any information that can identify or make identifiable a specific person. Health, genetic, and biometric data are three types of data that fall under this category.

Health data refers to information that can be related to a person’s physical and mental state, including the medical treatments they receive. 

Genetic data refers to hereditary and genetic characteristics by providing unambiguous information, including genetic samples. 

Biometric data, on the other hand, are defined as those personal data that are obtained through techniques of physical, physiological and behavioural analysis of a person that provides unique information, such as iris scanning and fingerprint collection.

The collection of biometrics data, considered sensitive data under Article 9 GDPR, deserves special attention, especially in the case of identifying the correct legal basis on which data collection and processing are based (Article 6 GDPR). Even if public interest could constitute a suitable legal basis, consent should also be necessary to give the migrants a major awareness of their rights (i.e., information, access, correction, deletion, and objection).

The Biometric Data of the ‘Irregular Migrants’ 

The importance of biometric data also lies in their nature as a verification feature. Indeed, border authorities can check whether the person who presents his or her identity document, such as a passport or identity card, is actually the holder.

Moreover, this measure is compulsory for those who enter EU territory without a visa, as they are classified as irregular migrants.

The challenge in this context is the migrants’ lack of awareness about what data is being collected, by whom, for what reason, and until when. In this regard, even consent is worthless considering the particular psychophysical condition during which these data are collected, over and above the problems of language comprehension that make the process of consciously ‘giving away’ their data even more complicated. 

At the European level, these data flow into the European Asylum Dactyloscopie Database (EURODAC), whose main purpose is to ensure the effective application of the Dublin Regulation, so as to prevent multiple applications for asylum. The possibility of accessing these data and requesting their correction if they are incorrect is expressly laid down in Article 29 EURODAC. The prospection of requesting their deletion if they have been unlawfully processed is also granted, but it is not specified when they are to be considered unlawful. 

Since personal data protection is always at stake, the authorities competent to ensure that the respective rights are guaranteed here are the Data Protection Authorities (DPAs) in the respective Member States, as enshrined in Article 30 EURODAC. The point is that in spite of information brochures on their rights and the authorities to whom they can turn, effective understanding and assistance in this regard are put on the back burner. However, the importance of such data is not secondary, especially when one considers that they are instrumental to the proper application of asylum applications.

It is not only EURODAC; indeed, other entities like Humanitarian Organizations (HOs) and, more broadly, International Organizations (IOs) such as the United Nations, also collect biometric data in order to register beneficiaries of certain welfare measures. The motivation is to avoid fraud due to mistaken identity or double registration.

IOs and the Protection of Personal Data
As was pointed out, in the case of HOs, although some attention to the protection of personal data was also shown in the past, it is clear that it is not among their priorities, given the particular conditions under which they operate. Nevertheless, it is equally clear that the non-disclosure of personal data is also functional in ensuring greater security for the refugees themselves, who may also be fleeing from their families, as well as in guaranteeing the right to personal data protection. Steps forward in this context have been taken by IOs, which have implemented their own internal regulations, and academia is also participating more actively in drafting comprehensive guidelines.

However, as remarked by Marelli, the circumstance that IOs have adopted their own regulatory frameworks on data protection may have negative implications or at least deserve some attention given their potential conflict with national rules. A conflict may also be exacerbated by the peculiar legal status of IOs, which have privileges and immunities in the exercise of their functions.

GDPR, IOs, and DPAs

With regard to the application of the GDPR to IOs, there is who excludes it completely and who instead admits that its possible application should not be totally precluded, especially when the data processing falls within the material and/or territorial scope. I would venture to say that both hypotheses are more than valid. While it is true that whenever IOs are mentioned in the GDPR, they are mentioned in the same terms as third states, it is equally true that this does not mean that IOs and States have the same legal status. However, it is true that the GDPR’s silence regarding the imposition of any obligations on IOs is deafening and, in my opinion, deliberately ‘abstentionist’. 

A key role in enforcing data protection rules is played by Data Protection Authorities (DPAs). The mechanisms available to migrants may vary from jurisdiction to jurisdiction, complicating the challenge of recourse to them.
The point is that, in this particular situation, the application of the GDPR must be distinguished from its enforcement, as noted by Kuner. In fact, the immunities granted to IOs include legal proceedings, so even DPAs or a national court would have their hands tied if they wanted to act. However, although lacking binding power, a decision by the DPAs could take the form of an opinion, non-binding but nonetheless having a certain relevance, both because of the role they play and because of the negative consequences, especially in mediatic terms, that the IOs themselves could incur. 

Finally, adapting to the rules imposed by the GDPR on data protection, instead of complicating the process of data collection and processing, could make it more uniform. At the European level, harmonisation is increasing, almost making it easier to deal with this issue in a unified manner than at the national level.

Conclusion

Without going further into the issue of privileges and immunities, it is clear that these are functional to guarantee independence. Of course, if the powers of a Court are already limited, so much the more will be those of DPAs. If bound by different national laws, IOs would not be able to operate freely and their function of assisting in emergencies would be lost. Although data protection is a fundamental right, it is so in a different way from acting to save people’s lives. However, protecting personal data is pretty much the icing on the cake of the lifesaving work of the various IOs worldwide. If not guaranteed, at least in their countries of origin, the protection of personal data should be where it has become so important that it is followed as a model worldwide. The protection of personal data does not save lives (though not always), but it does save that dignity enshrined in Article 1 UDHR, restoring at least some of that inequality by being born on the ‘wrong side of the world’.

[The author participated in the ICRC Symposium 2024 as an expert in the following closed-door working groups:

• Mapping digital risks and digital harms
• Data protection, digital risks, data responsibility and ethics: How these frameworks for analysis interact to guide responsible use of technology in humanitarian action
• Measuring the harm of cyber operations to the people affected.]