On March 29th, the Permanent Representatives Committee approved the EU Council’s negotiating mandate for a Regulatory proposal to digitalize the Visa procedure. If adopted, it would introduce a single website platform where third-country nationals could submit their Visa applications which will be then forwarded to the concerned EU Member States. Applicants will be able to upload all relevant information, including their personal information and travel documents, to the online portal to complete their Visa requests. They will receive updates about the results of their applications through the dedicated website. The draft Regulation will also provide for the issuance of Visas in a digital format protected by cryptographic safeguards, thus replacing Visa stickers and preventing the circulation of forged documents.
Proponents argue that the progressive digitalization of the Visa procedure will improve security and reduce administrative costs for both EU Member States and interested travellers. A uniform Visa application mechanism within the Schengen Area is also likely to prevent Visa shopping episodes. However, I argue that the Draft Regulation raises many concerns about the effective protection of the fundamental rights of Schengen visa applicants. If adopted, it threatens to perpetuate the subordination of fundamental rights to security and efficiency concerns that characterizes the increasing digitalization and datafication of EU migration management operations.
Mandatory Use of Schengen Visa Platform and Non-Discrimination
The European Data Protection Supervisor (EDPS), according with Art. 42 of Regulation (EU) 2018/1725, delivered an opinion on the potential impact on people’s rights and freedoms regarding personal data processing activities in digital Visa application procedures. Despite the significant flaws the EDPS identified with an earlier version of the draft regulation, the approved legislative draft has not addressed these.
The draft Regulation would amend Article 9 of Regulation (EC) 810/2009 (Visa Code) to introduce the obligation to submit all visa applications for Schengen area countries through a centralised web-based platform. The legislative proposal foresees derogations to such an obligation for several reasons, including humanitarian grounds. However, the draft text explicitly declares that EU Member States may allow specific categories of people to submit Visa applications without using the new online platform. According to Recital 14 of the Regulatory draft, such special provisions could apply to people with digital accessibility issues. People may struggle to submit their Visa application on the online platform due to several factors, including low digital literacy or the lack of the necessary technical equipment. However, despite the ostensibly inclusionary rationale underpinning these exemptions, national authorities have a wide margin of discretion on how to interpret and apply them. This opens the door for discriminatory treatment. More specifically, non-digital submission for Schengen Visa may depend on arbitrary variables, such as how the requested State addresses the above-mentioned exemptions, and not on the needs of the potential applicants.
Data Protection Principles
The legislative proposal would amend Regulation (EC) 767/2008 (VIS Regulation) by providing for the collection of the IP address from which the visa application is sent among the application data. The VIS database would store such information, and several subjects, including EUROPOL and EU Member States authorities, would then be able to access the data for a variety of purposes, including law enforcement and border management. According to the landmark ruling of the Court of Justice of the European Union (CJEU) in the Breyer case, the IP address may fall into the category of personal data to whose processing the safeguards of the Regulation (EU) 2016/679 (GDPR) must be applied. As such, collection and elaboration activities of IP address data should be necessary and proportional to the digitalization of the Schengen Visa procedure. However, the legislative draft lacks a proper necessity assessment of such data processing activities that could represent an undue limitation of data processing rights of concerned individuals according to Art. 52 of the EU Charter of Fundamental Rights. Indeed, it should strike us as questionable whether the collection of an applicant’s IP address is necessary for the assessment of their Visa request. The insistence on these data protection safeguards ensures that the digitalization of Visa procedures does not serve to legitimize indiscriminate data collection activities for security purposes.
Data Quality Issues
The draft Regulation would require consulates and external service providers to perform data quality checks on the information uploaded on the platform. However, the legislative proposal does not provide uniform data quality assessment procedures. Spelling errors, translation mistakes, technical failures, and unreliable birth certificates are a few examples of low-quality data flows affecting large-scale information systems in the Freedom, Security and Justice Area. Providing standardized and uniform data quality safeguards would prevent discriminatory outcomes and ensure the same treatment to interested individuals addressing different consulates. High-quality data would ensure reliable and transparent decision-making processes, thus safeguarding the fundamental and procedural rights of interested Visa applicants and preventing the propagation of discriminatory attitudes that could exacerbate the vulnerabilities of third-country nationals. Moreover, reliable and accurate data would permit the effective implementation of border control policies preventing security threats.
Right to Information
According to the legislative draft (point 30, amending art.47 of the Regulation (EC) 810/2009), the Schengen Visa platform should provide the general public with all the relevant information about the digitalized application procedure. However, the platform should also adequately inform data subjects to ensure fair and legitimate data processing activities in compliance with the GDPR requirements. Specifically, data subjects should be informed about the modalities and the goals of data processing activities concerning their personal information within the context of interoperability between large-scale information systems at the EU external frontiers. Different actors (e.g. border authorities, law enforcement agencies) can access data for a variety of purposes, including border control, counter-terrorist, and migration management. The overlapping of such different purposes can make it difficult to comply with the principles of purpose limitation and data minimization.
No Clear and Uniform Accountability Framework
The draft Regulation establishes that the EU agency eu-Lisa should develop the online platform and provide EU Member States with the necessary technical equipment to join to this system. However, the legislative proposal fails to define a clear framework of the roles and responsibilities of the different actors (the EU and its Member States, third countries of origin, interested Visa applicants, private suppliers of technological instruments) involved in the data processing activities needed for the digitalization of Visa procedures. The coexistence of a plurality of actors accessing and elaborating the same information for a variety of purposes through technological means may blur the boundaries of accountability profiles. A blurred accountability framework, hiding the responsibilities of involved actors behind the curtains of technological complexities, would infringe on the possibility for concerned individuals to individuate who to hold accountable for their rights.
The implementation of digital Schengen Visas is the latest example of a more complex digitalization process regarding the management of the EU’s borders. The deployment of technological solutions for border control and migration management procedures purportedly serves to identify and prevent any security risks for the EU and its Member States, while also streamlining cumbersome administrative processes. While these are important benefits, data-driven borders have been shown to operate as sites of social sorting, filtering access to mobility rights accordingly with potentially discriminatory indicators such as ethnicity, language, nationality, and religious beliefs. The progressive datafication of EU borders relies on techno-solutionism assumptions, according to which targeted data processing activities can forecast the future behaviour of specific individuals. This approach does not consider how the deployment of technological devices could shape the surrounding circumstances, replicating and propagating specific power dynamics and hierarchies.
These problematic dynamics are exacerbated by the consistent de- prioritization of the rights of people on the move in the EU’s push towards digitalizing border control. The current legislative proposal to digitalizing visa processing is a paradigmatic example of how fundamental rights are often sacrificed in the pursuit of speed, efficiency and security imperatives. Thus, the draft Regulation aims to make Schengen Visa application procedures faster and more efficient through EU-centered management via a dedicated online platform. However, as illustrated, the current proposal threatens to legitimate indiscriminate and arbitrary data collection activities regarding migrants seeking to enter Europe. A data justice approach could help alleviate the potentially harmful impact of emerging technologies on vulnerable people, including migrants, and strike a better balance between collective interests, such as border security and internal stability, and individual fundamental rights.