Niovi Vavloula talks to us about her new book Immigration and Privacy in the Law of the European Union published by Brill.
This book critically examines the privacy challenges posed by the establishment, operation and reconfiguration of pan-European centralised information systems that process the personal data of different categories of third-country nationals. These highly sophisticated systems collect, store and process a wide range of personal data, including biometrics, from different groups of third-country nationals that are then used for many, often divergent purposes. A multi-layered network has been constructed comprising three operational databases: the second generation Schengen Information System (SIS), the Visa Information System (VIS), and Eurodac. Three additional ones, Entry/Exit System (EES), European Travel Information and Authorisation System (ETIAS) and the European Criminal Record Information System for Third-country Nationals (ECRIS-TCN) are in the pipeline essentially surveying the movement of almost the entire non-EU population with an administrative or criminal law link to the EU. These systems will soon be interconnected under the umbrella of ‘interoperability’, which will enable innovative uses through the aggregation of data from different sources.
Chapters 2-7 focus on a different system (whereas Chapter 8 looks into interoperability) and provide a systematic account of the historical and legal framework of each of these systems as well as to what extent these rules are compatible with the standards of protection of the right to private life as developed by the European courts. A typology of privacy standards is developed in Chapter 1, which aims to increase our understanding on the protection of privacy under EU law, both conceptually and substantially and thus has wider implications than the specific context of immigration databases.
This book is an updated and adapted version of my Ph.D. thesis that was defended in 2017. Compared to the Ph.D. thesis that was around 100,000 words, the monograph is three times the size in order to take into account the booming legislation and case law since the defence of the thesis. Digitalisation of immigration control, particularly through the setting up and operation of information systems has been under-researched, requiring expertise in both EU data protection and EU immigration law and not being taken aback by the rather technical nature of the topic. However, this intertwining of the two fields is particularly fascinating for a number of reasons: it brings to the fore not only how foreigners have been used as a laboratory for new technologies, but also how their very existence and possible movement is associated with criminality. As such, this book fills a very distinct gap in literature and stands at the crossroads of immigration, criminal and data protection law. Furthermore, with the lack of any jurisprudence on these issues at EU level, the book aims to brings to light the systematic violations of privacy rights of foreigners and raise awareness of the dystopian landscape of information systems. Finally, with the proliferation of information systems, research is increasing and this book aims to become a landmark publication in this field.
The establishment of this ‘millefeuille’[1] of information processing schemes is based on the routine collection of various types of personal data for primarily administrative purposes, although law enforcement authorities may also process the data. The trend towards law enforcement access to immigration data is intertwined with the understanding of cross-border mobility as a security issue, resulting in an expanded use of migration technology. Meanwhile this control is progressively acquiring the characteristics of mass surveillance of movement[2] through ‘the focused and systematic and routine attention to personal details for purposes of influence, management, protection or direction’.[3] Outside the immigration law context, Clarke has coined the term ‘dataveillance’ to denote this type of surveillance through the collection of personal data.[4] Groups of third-country nationals are classified, and potentially excluded, according to the danger they are seen as posing to society, with surveillance techniques becoming the motor for assessing and managing this risk, applied to pre-empt their entry or monitor their subsequent movement after accessing the EU territory and to secure their removal if necessary. A logic of risk, preoccupied with risk analysis and the calculation of threat levels, is used. Gammeltoft-Hansen observes that information systems form part of concentric ‘risk filters’ that serve to categorise, identify and assign threat levels to different groups of third-country nationals.[5] This book uses the theory of risk as a central tool for understanding information systems. As stressed by Bauman, in an era of globalisation, ‘the degree of mobility has stratified the world into two – one for “tourists” and the other for “vagabonds”’.[6] With it becoming increasingly difficult to distinguish the two types, to prevent unwanted migration, a novel approach has emerged around a risk-based logic.[7] […] Risks are essentially about anticipation; actively preventing undesirable events that relate to security concerns, but also more broadly, to irregular migration and public order.[8] A crucial aspect of risk theory concerns the uncertainty regarding the actual danger posed by an individual.[9] In a sense risks are both ‘real’ and ‘unreal’; although a risk involves an event that may not even happen, they carry a practical relevance by designating and prescribing present action.[10] Beyond securitisation, risk does not deal with existential threats, but rather with the anticipation and active prevention of undesirable yet unpredictable future events.[11] It also encompasses public order. Risk logic construes threats as governable, and their handling as a constant management process, whereas security logic treats them as uncontrollable and in need of eradication.[12]
The ‘Panopticon’ metaphor is particularly useful in this respect. This metaphor is based on Jeremy Bentham’s 1791 architectural design for a prison called the Panopticon, in which prisoners could be seen at all times by a centrally located guard who was invisible to them. Foucault then revitalised this metaphor, which has become central in the literature on surveillance.[13] Drawing on Foucault’s metaphor, Broeders has framed information systems as part of a ‘panopticon Europe’, increasingly designed to exclude third-country nationals through delegitimisation and criminalisation.[14] The power of panoptic vision goes beyond mere surveillance to discipline the watched individuals in line with socially accepted standards, as they lose the opportunity, capacity and will to deviate. In the context of third-country nationals, the main idea with surveillance is ‘not to get them in line, but to get them out’, to exclude them in both the territorial and the membership senses, separating the ‘ins’ from the ‘outs’ and the ‘deserving’ from the ‘undeserving’.[15] Bigo has coined the term ‘banopticon’ to highlight the ‘social practices of surveillance and control’ that ‘sort out, filter and serialize who needs to be controlled and who is free from control’. The systems are not intended for monitoring everybody, but rather target pre-designated risk groups only, exercising an exclusionary form of control with a focus on banishment or denying entry.[16] These theoretical approaches are not mutually exclusive; on the contrary, surveillance of those likely to pose risk becomes the vehicle for subsequent risk management, as it enables the collation and analysis of information and the ‘banopticon’ sorts out who needs to be watched and who may pass freely. It provides the framework for risk management by serving as a basis for specialised knowledge in defining and categorising risk groups.[17]
[1] Elspeth Guild, Sergio Carrera and Florian Geyer, ‘The Commission’s new border package – Does it take us one step closer to a ‘cyber-fortress Europe”?’ (CEPS, 2008) 4.
[2] Annaliese Baldaccini, ‘Counter-Terrorism and the EU Strategy for Border Security: Framing Suspects with Biometric Documents and Databases’ (2008) 10(1) European Journal of Migration and Law 31; Valsamis Mitsilegas, ‘Border Security in the European Union: Towards Centralised Controls and Maximum Surveillance’ in Elspeth Guild, Helen Toner and Annaliese Baldaccini (eds), Whose Freedom, Security and Justice? EU Immigration and Asylum Law and Policy (Hart 2007); ‘The Border Paradox: The Surveillance of Movement in a Union without Internal Frontiers’ in Hans Lindahl (ed), A Right to Inclusion and Exclusion? Normative Fault Lines of the EU’s Area of Freedom, Security and Justice (Hart 2009).
[3] David Lyon, Surveillance Studies: An Overview (Polity Press 2007) 14.
[4] Roger Clarke, ‘Introduction to Dataveillance and Information Privacy, and Definitions of Terms’ (Roger Clarke’s Website, 15 August 1997) http://www.rogerclarke.com/DV/Intro.html accessed 31 December 2021.
[5] Gammetoft-Hansen (n 15) 8.
[6] Zygmunt Bauman, Globalization: The Human Consequences (Polity Press 1998) 87.
[7] Ulrich Beck, Risk Society: Towards a New Modernity (Sage 1992) 13, 24.
[8] Claudia Aradau and Rens Van Munster, ‘Governing Terrorism through Risk: Taking Precautions, (Un)Knowing the Future’ (2007) 13(1) European Journal of International Relations 89, 96; Natalie Niemann and Arne Schmidthäussler, ‘The Logic of EU Policy-Making on (Irregular) Migration: Securitisation or Risk?’ (Mainz Papers on International and European Politics, 2012) 13.
[9] Claudia Aradau, Luis Lobo-Guerrero and Rens Van Munster, ‘Security, Technologies of Risk, and the Political: Guest Editor’s Introduction’ (2008) 39(2/3) Security Dialogue (2008) 147, 148 and 150.
[10] Beck (n 48) 34.
[11] Rijpma, ‘Brave New Borders’ (n 14) 208. See Claudia Aradau and Rens Van Munster, ‘Governing Terrorism through Risk: Taking Precautions, (Un)Knowing the Future’ (2007) 13(1) European Journal of International Relations 89, 96.
[12] Niemann and Schmidthäussler (n 51) 15.
[13] Michel Foucault, Discipline and Punish (Pantheon Books 1975).
[14] Dennis Broeders, ‘The New Digital Borders of Europe: EU Databases and the Surveillance of Irregular Migrants’ (2007) 22 International Sociology 71, 74-75.
[15] ibid 74 and 76.
[16] Didier Bigo, ‘Security and Immigration: Toward a Critique of the Governmentality of Unease’ (2002) 27 Alternatives 63; ‘Globalized (In)Security: The Field and the Ban-Opticon’ in Didier Bigo and Anastassia Tsoukala (eds), Terror, Insecurity and Liberty: Illiberal Practices of Liberal Regimes after 9/11 (Routledge 2008).
[17] Gammeltoft-Hansen (n 15).