Under EUROSUR’s Watchful Eye

The processing of migrants’ personal data by FRONTEX has raised many concerns over the past years, prompting the European Data Protection Supervisor (EDPS) to investigate the matter on several occasions. The EDPS has noted that reports from debriefing interviews conducted by the Agency could lead to the identification of interviewees and, thus, it has stressed its serious doubts about these interviews’ compliance with the principle of fair processing (Case 2022-0749). Moreover, it has observed that moving all of FRONTEX’s services into the Microsoft cloud was in breach of the accountability principle (Case 2020-0584). However, little has been said about such processing in the context of the European Border Surveillance System (EUROSUR).

Regulation (EU) No 1052/2013 established EUROSUR as a framework for data exchange and for the cooperation between FRONTEX and the EU Member States, with the main purpose of detecting, preventing, and combating irregular migration and cross-border crime, as well as contributing to ensuring the protection and saving lives of migrants. In 2018, the European Commission concluded that EUROSUR was to be encompassed in the forthcoming FRONTEX Regulation in order to maximise the operational mandate of the Agency, as well as to expand the scope of the system so as to cover border checks at border crossing points and air border surveillance, along with the external land and sea borders. Against this background, this blogpost seeks to showcase how the basis for the exchange of information within the framework of EUROSUR, as well as the defined purposes of the system may lead to the unlawful processing of personal data.

Breaking Down EUROSUR: The System’s Key Components Explained 

EUROSUR is an intricate system. It comprises four main components that are interlinked in order to maintain a near-real-time picture of the external borders of the EU and to share information amongst actors involved in border management authorities.

The National Coordination Centres (NCCs) are established in each Member State, connecting all the national authorities that have competences in external border control, FRONTEX, and the NCCs of other Member States. The EUROSUR Fusion Services (EFS) constitute the component through which the Agency supplies the NCCs and itself with relevant information on the external borders and on the pre-frontier area, at the request of NCCs. Under EFS, FRONTEX cooperates with many EU Agencies and collects a wide variety of data, such as radar imagery or the deployment of aerial surveillance. The EUROSUR Communication Network (ECN) acts as the means of transfer of all the information collected in the system. Through ECN, sensitive non-classified and classified data is exchanged ‘in a secure manner and in near-real-time with, and among the NCCs’ [Article 14, 2019 European Border and Coast Guard (EBCG) Regulation].

Situational pictures are ‘an aggregation of geo-referenced near-real-time data and information received from different authorities, sensors, platforms, and other sources’ [Article 2(10), 2019 EBCG Regulation]. In other words, they are electronic maps that display the information gathered and disseminated by the relevant authorities and can be sorted into three types. First, National Situational Pictures are created by National Coordination Centres and relate to the external borders and pre-frontier area of each Member State. Second, the European Situational Picture is created by FRONTEX and contains the external borders and pre-frontier area of the EU, as well as all unauthorised secondary movements. Third, the Specific Situational Picture – which was newly introduced by the 2019 EBCG Regulation – relates to specific operations carried out at the external borders, or aims at sharing information with third countries, international organisations, or other EU institutions, bodies, offices, and agencies.

It is the latter situational picture that raises more debate, given that information is shared with international organisations or third countries mainly on the basis of working arrangements. However, this raises two main concerns: first, most working arrangements concluded by FRONTEX lack adequate data protection and human rights safeguards; and second, the Regulation does not contain sufficient safeguards for the appropriate and lawful processing of personal data.

Data Protection Issues Within the Framework of EUROSUR

Although it has been claimed by FRONTEX that all working arrangements with external partners include ‘specific fundamental rights safeguards’, on most occasions, particularly with regard to the instruments concluded with third countries, these arrangements do not contain any safeguards, let alone specific provisions providing for the protection of fundamental rights. To highlight the relatively encouraging aspect first, the ratio of working arrangements concluded with IOs or other EU institutions, bodies, offices, or agencies that include fundamental/human rights protections is 44%. Except for the working arrangement with the European External Action Service (EEAS), which hardly states that the cooperation shall contribute to ‘the streamlining and promotion of fundamental rights’, those working arrangements contain quite specific safeguards.

In contrast, of the arrangements concluded between the Agency and third countries, only 40% contain a clause or a reference to the protection of fundamental/human rights and, in most cases, such references are extremely vague (e.g. clauses stating that the signing authority and the Agency should ‘afford full respect for human rights’ when cooperating). To date, the only working arrangement concluded with a third country that contains specific human rights protections is the one with the United Kingdom (UK), which provides for specific human rights obligations to both sides and for the monitoring of the FRONTEX Fundamental Rights Officer, amongst other measures.

The provisions concerning the protection of human rights contained in the UK working arrangement should be used by the Agency as inspiration for the (re)negotiation of future working arrangements with third countries. However, it cannot be forgotten that due to the non-legally binding nature of working arrangements, the inclusion of fundamental rights safeguards is not sufficient to mitigate the risk of human rights violations occurring, as stated by the EDPS in Case 2022-0647.

Data Protection Issues Stemming from the 2019 EBCG Regulation 

Article 87 of the EBCG Regulation provides that FRONTEX may process personal data for the purposes of ‘performing its tasks in the framework of EUROSUR in accordance with Article 89’, which establishes the relevant rules. Article 89 allows for the Agency to process ship and aircraft identification numbers [89(2)], and to exceptionally process other types of personal data as long as the processing is limited ‘to what is necessary for the purposes of EUROSUR in accordance with Article 18’ [89(3)]. According to Article 18, the purposes of EUROSUR are the detection, prevention and fight against illegal immigration and cross-border crime and ensuring the protection and the saving of lives of migrants.

On the basis of Article 86(2), FRONTEX’s Management Board adopted MB Decision 68/2021 on the processing of personal data by the Agency. In this regard, the EDPS adopted an Opinion where it established that there were certain aspects of the Regulation and MB Decision 68/2021 that did not provide for adequate safeguards. As regards EUROSUR, the EDPS established that Article 89 of the Regulation contained very few elements related to the processing of personal data, and that the MB Decision did not establish specific rules for processing such data within the EUROSUR framework.

Following this opinion, the Management Board adopted MB Decision 4/2024, which contained a more detailed set of rules for the processing of personal data concerning EUROSUR than Decision 69/2021. Although progress has been made in terms of developing a set of rules covering the specific situations where ship and aircraft identification numbers may be processed, there are nonetheless many gaps as regards the other kinds of personal data that, according to the Regulation, can be processed exceptionally for the purposes of EUROSUR. The only development in this regard is that Article 58 of the Decision – which somewhat mimics Article 89 of the Regulation – explicitly includes the purposes for which personal data may be processed, instead of referring to Article 18. These purposes, however, are certainly very vague and, as pointed out by the Commission, leave a wide margin of interpretation [SWD(2024) 75], potentially resulting in the processing of personal data for other purposes such as for the prevention of arrival or pull-back practices, breaching the principle of purpose limitation. This principle requires that data must be collected only for specified, explicit and legitimate purposes and not processed in a way contrary to those purposes.

Concluding Remarks

As the main system for the surveillance of the EU’s external borders, EUROSUR plays a key role in facilitating data-sharing among the Member States, FRONTEX and external actors. However, some key concerns remain about inadequate safeguards for the processing of personal data. Although the Agency’s Management Board has taken a step forward in amending the data processing rules following Case 2022-0148, the Regulation remains unaltered. Moreover, MB Decision 4/2024 still leaves certain gaps, particularly with regard to the data that can be processed under Article 89(3) of the 2019 EBCG Regulation, triggering concerns about purpose limitation and the right to data protection under Article 8 of the Charter of Fundamental Rights of the EU.