Professor Steve Peers, Royal Holloway University of London

Photo credit: Rachmaninoff, via Wikimedia Commons

This blog post has been amended since its initial publication, with asterisks marking the changes.* The most recent update was on June 18, 2024.

Shortly before Christmas, the European Parliament and the Council, the EU body representing ministers from Member States, agreed on five crucial aspects of EU asylum law. These aspects include asylum procedures, the ‘Dublin’ system for determining responsibility for asylum claims, the ‘Eurodac’ database that supports the Dublin system, the screening process for migrants and asylum seekers, and derogations during crises. These five laws joined previously approved legislation concerning the criteria for refugee status and subsidiary protection, reception conditions for asylum seekers, and the resettlement of refugees from outside the EU. This collection of laws constitutes a comprehensive ‘package’ intended to reform EU asylum law. This package was officially adopted on May 14, 2024, and subsequently published in the Official Journal on May 22, 2024.*

This blog post series, based on a forthcoming article,* examines this new legislation. This particular post, the fourth in the series, focuses on the new Regulation concerning Eurodac, the system responsible for gathering personal data to ensure the implementation of EU asylum laws. Previous posts in this series have covered the new Regulation on qualification (part 1), the updated Directive on reception conditions (part 2), the new Regulation on refugee resettlement (part 3), the new Regulation on the screening of migrants (part 5), the revised Dublin rules on responsibility for asylum seekers (part 6), the Regulation on asylum procedures (part 7), and the crisis regulation, along with general observations (part 8).*

This 2024 package complements the earlier Regulation that revised the powers of the EU asylum agency. This particular regulation was addressed separately and adopted in 2021.* (For a broader understanding of EU asylum law, refer to the relevant chapter in the latest edition of EU Justice and Home Affairs Law. This post’s summary of the current Regulation is adapted from that chapter).

Background of the New Eurodac Regulation

The development of the Common European Asylum System (CEAS) has unfolded in two distinct phases. The first, primarily between 2003 and 2005, and the second, mostly between 2011 and 2013. The 2024 package essentially represents a third phase, even though the EU refrains from explicitly labeling it as such.*

The original Eurodac Regulation (known as the ‘2000 Regulation’) predates the first phase of the CEAS. It was adopted in 2000 to supplement the Dublin Convention on the allocation of responsibility for asylum requests, which also came before the first phase. The 2000 Regulation was later superseded in 2013 during the second phase of the CEAS by the ‘2013 Regulation.’

The 2013 Regulation mandates the fingerprinting of asylum seekers aged fourteen and above. These fingerprints are then transmitted to a ‘Central Unit’ that compares them against existing and future fingerprint records to identify individuals who have lodged multiple asylum applications within the EU. The 2000 Regulation also had this requirement, but the 2013 Regulation expands the scope to include not just those applying for refugee status, but also those seeking subsidiary protection, a distinct form of international protection for individuals who don’t qualify for refugee status. (For more details on these definitions, refer to Part 1 of this series.)

Additionally, Member States are obligated to collect fingerprints from all third-country nationals who have crossed borders irregularly and forward these to the Central Unit. This is to determine the first point of unauthorized entry into the EU, a key factor in establishing responsibility for asylum applications under the Dublin rules. Fingerprints must be taken within 72 hours of an application for international protection or apprehension for illegally crossing an external border.

Member States have the option to fingerprint third-country nationals discovered residing illegally within their borders. These fingerprints can then be sent to the Central Unit to ascertain if the individual has previously applied for asylum in another Member State. If so, the other Member State might be obligated to take them back under the Dublin rules. It’s crucial to note that the 2013 Regulation doesn’t mandate the collection and transmission of fingerprints for this group, and the Eurodac system does not store this data. Law enforcement agencies and Europol also have conditional access to Eurodac data.

Under the 2000 Regulation, data on recognized refugees was initially blocked once they were granted refugee status. However, the 2013 Regulation removed this block. Conversely, the 2013 Regulation shortened the data retention period for irregular border crossers in the Eurodac system from two years to 18 months.

Unlike other EU asylum laws, the Eurodac Regulation hasn’t been subject to interpretation by the Court of Justice of the European Union (CJEU), so understanding its full implications doesn’t require analyzing case law.

Both the UK and Ireland opted into the two previous Eurodac Regulations. However, the 2013 Regulation, along with the Dublin rules, ceased to apply to the UK at the conclusion of the Brexit transition period. Ireland opted out of the proposed 2024 Regulation but has expressed its intent to opt back in once it is formally adopted.* Through a treaty with the EU regarding the implementation of Dublin and Eurodac, Denmark is also subject to Eurodac. Similar treaties are in place with Norway and Iceland and Switzerland (including a protocol for Liechtenstein) for the application of both the Dublin rules and Eurodac.

It’s essential to view each of the new EU asylum measures within the larger context of the package, a theme explored throughout this blog series.* Historically, the Eurodac Regulation has been closely intertwined with the EU’s Dublin rules on assigning responsibility for asylum requests. This connection is further amplified in the updated version of the Regulation, which establishes additional links with other EU asylum laws, as discussed below.*

The legislative journey leading to the agreed-upon text for the revised Eurodac Regulation commenced with a Commission proposal in 2016, prompted by the then-perceived refugee crisis. A revised version was presented in 2020 as part of a renewed effort to reach a consensus on asylum regulations. While the negotiations involving EU governments (the Council) and subsequently between the Council and the European Parliament were complex, they have now concluded. This blog post focuses solely on the final text, setting aside the intricacies of the negotiation process. The analysis will primarily highlight the distinctions between the new Eurodac Regulation and its 2013 counterpart, the key features of which have been outlined above.

Fundamental Points

The 2024 Eurodac Regulation, like other measures in the asylum package, is set to be implemented roughly two years after its adoption, specifically on June 12, 2026.* It’s important to note that special rules will govern the application of this Regulation to temporary protection, meaning the application of the EU temporary protection Directive, which offers initial short-term protection during mass arrivals. So far, this directive has only been used once, specifically for those fleeing the conflict in Ukraine.

One of the first changes introduced by the 2024 Eurodac Regulation is the broadening of its scope. Initially intended to support the Dublin system, with some provisions for law enforcement data access, the updated regulation now aims to provide more general support for the asylum system. This includes aiding in the implementation of the Resettlement Regulation (discussed in part 3 of this series), managing irregular migration, identifying secondary movement, protecting children, verifying identities, supporting both the EU travel authorization system and the Visa Information System, generating statistics for “evidence-based policymaking”, and assisting with the implementation of the temporary protection Directive. While the clause pertaining to “purpose limitation” regarding the use of personal data has been significantly expanded, it’s now coupled with a general safeguard for human rights.

The types of data collected have also been expanded. Beyond fingerprints, the regulation now encompasses “biometric data,” which includes “facial image data.” The 2024 Regulation introduces the collection of additional data types and more explicitly emphasizes the obligation to collect such data. This emphasis is accompanied by both additional safeguards and “the possibility of employing coercive measures as a last resort.”

Previously set at 14, the age at which data collection from children begins has been lowered to six. While specific safeguards are in place for children, the language used is concerning. For example, the regulation states that “[n]o form of force shall be used against minors to compel compliance,” yet also mentions that “a reasonable degree of coercion may be used against minors to ensure their compliance.”

New provisions in the 2024 Regulation seek to ensure interoperability with other EU databases, namely ETIAS (European Travel Information and Authorisation System) and the Visa Information System. Moreover, the use of Eurodac for generating immigration statistics will see significant expansion.

The collection of data for Eurodac will continue for asylum seekers and individuals crossing external borders irregularly, with supplementary data collected on any changes to the data subject’s status. Notably, data on irregular migrants will now be collected and stored as standard practice, as opposed to being merely checked against the database without storage, which was optional in the past. This shift is intended to improve the identification process. Additionally, data collection will now occur for the first time in four new scenarios: resettlement within the EU under the new Resettlement Regulation; resettlement at the national level; search and rescue operations; and instances where the EU temporary protection Directive is invoked. However, this extension to temporary protection scenarios will only apply to potential future applications of the temporary protection Directive. It does not encompass those individuals granted protection under the 2022 activation of the Directive for individuals fleeing Ukraine.

Data for most of these categories will undergo automatic comparison with existing data in Eurodac. As before, data pertaining to asylum seekers will be retained for ten years. However, data on individuals who cross borders irregularly will now be kept for five years, up from 18 months. For data collected for the first time under the 2024 Regulation, retention periods vary but are typically five years. In cases involving temporary protection, the retention period is tied to the protection duration stipulated by EU law, which is currently capped at three years. Similar to previous regulations, data will be deleted ahead of schedule if an individual is granted citizenship in a Member State. However, for those who have crossed borders irregularly, data will not be removed if they depart the country or obtain a residence permit. Conversely, data on those granted international protection will be retained for the standard 10-year period instead of being deleted after three years as was previously the case.

Lastly, the significant increase in data collection, particularly with regards to data protection, will be governed largely by the same standards as before, albeit adapted to include the collection and comparison of facial images and data concerning security risks. One notable change is the introduction of provisions allowing for the transfer of data to non-EU countries for the purpose of facilitating returns.

Observations

The Commission did not conduct a specific impact assessment focused on the amendments to the Eurodac Regulation. The justifications presented in the Regulation’s preamble are rather broad. However, the explanatory memoranda accompanying the Commission’s proposals offer more detail. The 2016 proposal advocates for expanding the use of Eurodac beyond its initial purpose of facilitating the Dublin system. It argues that Eurodac should be used as a more general immigration control tool. The Commission believes this justifies the use of the system for identifying individuals residing illegally within the EU, which would involve increased data comparison. The collection of data from younger children is justified on safeguarding grounds, particularly to facilitate the tracing of parents in cases of separation. The collection of facial images and other new data types is presented as a means to improve identification processes. Collecting data on relocation is deemed necessary to ensure that asylum seekers are transferred to the correct Member State in accordance with the Dublin rules. The decision to retain asylum seeker data for ten years, even in cases where a claim has been successful, is based on the rationale that this data might be needed if the individual relocates without authorization and needs to be returned to the responsible Member State. The extension of data retention periods for those who cross borders irregularly, coupled with fewer provisions for early deletion, is justified by potential future needs related to return procedures.

In the revised 2020 proposal, the Commission argues that these changes are necessary to maintain consistency with other new rules concerning search and rescue, resettlement, modifications to the core Dublin rules, screening processes, the establishment of lists of rejected applications (to facilitate the enforcement of rules regarding repeat applications), and internal security risks (as these preclude relocation under the Dublin rules).

Many of these justifications, which are not backed by comprehensive statistical analysis due to the lack of a specific impact assessment from the Commission (a broad staff working document does not provide any additional details), can be challenged. Was it genuinely necessary to include future temporary protection scenarios, especially considering that an ad hoc solution was found for the current application of the temporary protection directive? More importantly, given the initial purpose of Eurodac, was the inclusion of such scenarios truly necessary, particularly when considering that the Dublin rules are essentially disregarded for beneficiaries of temporary protection, as is the case currently?

Given that the system now encompasses temporary protection situations, why isn’t the rationale behind the short data retention period for these cases applied more broadly? Or, at the very least, why isn’t the logic of retaining data on resettled individuals for five years – based on the likelihood of them obtaining long-term residency – also applied to individuals with other types of protection status or residence permits? The idea of deleting data once an individual obtains long-term residency, which was discussed during negotiations, was unfortunately abandoned. This points to a broader flaw in this package of amendments: the emphasis on strengthening the application of negative mutual recognition (where Member States recognize each other’s rejected applications) without a corresponding strengthening of positive mutual recognition (recognizing the successful applications in other Member States), and without addressing situations where individuals with protection status have legitimate grounds for relocating to another Member State (such as the threshold established in the Ibrahim judgment) or where long-term residents may exercise their right under EU law (specifically the Long-Term Residents Directive) to move to another Member State if they fulfill the required criteria. Lastly, there seems to be no justification for using the Eurodac system for return purposes, given the expansion of the Schengen Information System to serve the same function (including expanded data on entry bans and return decisions), which is already operational.

In conclusion, the new Eurodac system is poised to collect significantly more data, from a larger pool of individuals, for a wider array of purposes, and for extended durations – all with insufficient justification for many of these changes.