The Processing of Health-Related Data in the Incoming European Travel Information and Authorisation System

The European Travel Information and Authorisation System (ETIAS) requires visa-exempt third-country nationals (TCNs) to complete an online application form to enter the Schengen Area for a short-stay visit. While applicants do not disclose their health status, the ETIAS is designed to assess the high epidemic risks posed by their presence in the European Union (EU). This post clarifies how the ETIAS processes TCN’s health data and critiques the lack of specific safeguards to protect the data subjects’ rights under Article 8 of the Charter of Fundamental Rights of the EU (CFREU).

Health Data and Its Protection under the GDPR

Health data is any personal data on an individual’s physical or mental health, including past, present, and future health status. According to Article 4(15) of the General Data Protection Regulation (GDPR), data concerning health includes the information inferred from the data subject’s state of health risk, irrespective of whether it is true, appropriate, or legitimate. Such information may be indirect or situational, and may include the place of residence, environment, lifestyle, work, and economic relationships. Under the GDPR Article 9(1), the processing of such data is prohibited as this might lead to stigmatisation and discrimination, notwithstanding the surrounding context and purposes pursued. In a nutshell, health data is a special category of personal data because of its inherent sensitivity, which justifies the provision of a tightened regulatory regime. However, Article 9(2) of the GDPR sets forth exceptional conditions under which this prohibition can be lifted. These exceptional conditions include public interest in the area of public health as long as the EU or national law ‘provides for suitable and specific measures to safeguard the rights and freedoms of the data subject’ [let. i)]. Still, each Member State is free to provide for further conditions limiting its processing according to Article 9(4) of the GDPR.

ETIAS Screening Rules and High Epidemic Risk Indicators

As the European Data Protection Supervisor (EDPS) spotted, health data are inferred throughout the ETIAS procedure indirectly. Two different stages are relevant: 1. to elaborate the high epidemic risk indicators and test the ETIAS screening rules and 2. when an application hits the high epidemic risk indicators stored in the ETIAS Central System (C-S), or the authorisation is annulled or revoked because the conditions for the issuing were not or are no longer met (e.g. false negative hits).

The European Border and Coast Guard Agency (rectius the ETIAS Central Unit) is establishing risk indicators of high epidemic, combining the information transferred by the World Health Organisation on disease outbreaks, the European Centre for Disease Prevention and Control on epidemiological surveillance and communicable diseases, and the Member States on high epidemic risks posing a serious cross-border threat to health, with known parameters (age range, sex, nationality, country and city of residence, level of education, and current occupation). As long as the data that the ETIAS Central Unit is using is not anonymised, their further use [which should undergo the compatibility test of Article 6(4) of the GDPR] interferes with the individuals’ right to personal data protection, that is, the right to informational self-determination. Even though defining and testing the ETIAS screening rules could be research or innovation activities, the controller (the ETIAS Central Unit and eu-LISA) should apply appropriate safeguards like pseudonymisation in line with Article 89 of the GDPR.

The ETIAS risk indicators reveal a person’s health status each time the comparison triggered by a new application suggests that they pose risks of high epidemic to the benefit of the community (e.g. Article 6 of Ley 41/2002). Following a first verification performed by the ETIAS Central Unit to scrap false positive hits, the ETIAS National Unit responsible for the application may ask for additional information, like hospital invoice(s) or health and vaccination certificate(s) or it may invite the applicant for an interview. The ETIAS National Unit must decide whether to grant or not the entry, which is recorded in the TCN’s application file (Article 37 of the ETIAS regulation). In case the authorisation is issued, the ETIAS National Unit may annul or revoke it as long as the initial conditions are found to have never been met or are no longer met (Articles 40 and 41 of the ETIAS regulation). Such “indirect” information counts as (sensitive) personal data whose processing could not amount to a fully automated decision as per Article 22(4) of the GDPR, unless the ETIAS is found to underpin reasons of substantial public interest by virtue of its Article 9(2) let. g).

Data Subjects’ Rights and ETIAS

According to the ETIAS regulation Article 64(1), TCNs whose data are stored in the ETIAS C-S are informed about the right to access, rectify, and erase personal data at the time of their collection. At this moment, the contact details of the European Border and Coast Guard Agency and the EDPS are given. The expression used, i.e. “collection”, raises doubts on whether TCNs are aware of the fact that their health data are processed since these are not gathered from the application form, but inferred from the implementation (and eventually revision) of the ETIAS screening rules [Articles 14 and 23(1) let. e) of the GDPR]. In the specific case of granting the authorisation, TCNs are expected to be informed about the processing of health data during the assessment of which the ETIAS National Unit is competent (Articles 26-32 of the ETIAS regulation). Conversely, when the authorisation is refused, annulled, or revoked, the applicant is notified about the justification sustaining the negative decision, i.e. the fact that the TCN represents a high epidemic threat, and of the possibility of appealing it according to the national law of the responsible ETIAS National Unit [Articles 37(3), 43(3), and 41(3) of the ETIAS regulation]. In addition, the notification must state the procedures for exercising the right to access, rectify, and erase personal data before the ETIAS Central Unit or to the competent National Unit [Article 64(2) of the ETIAS regulation]. Overall, the exercise of this right is designed in view of the assessment or decision taken by the ETIAS National Unit, without regard to the ETIAS screening rules whose revision is performed by the European Commission every six months according to Article 33(3) of the ETIAS regulation.

Concluding Remarks

The lack of specific rules on the processing of health-related data in the ETIAS regulation confirms that the co-legislators have not provided enhanced safeguards to regulate the processing of such a special category of personal data, as it should be. This post holds that specific safeguards must be ensured for the whole data life cycle to safeguard the exercise of data subjects’ rights as long as health data are processed in the ETIAS at different stages.

This post is part of the aid JDC2022-048217-I, funded by MCIN/AEI/10.13039/501100011033 and the European Union ‘NextGenerationEU’/PRTR, and the 2024 Research Project ‘Aproximación ético-jurídica al tratamiento de datos de salud de inmigrantes y refugiados para fines de salud pública en la UE’ (DASIR-SP) funded by the Fundación Víctor Grífols i Lucas. The author is grateful to the Völkerrechtsblog team and Prof. Dr. Nicolás Jiménez for bringing significant recommendation to this study.