The EU, the Externalisation of Migration Control, and ID Systems: Here's What's Happening and What Needs to Change

In early August, the African Union (AU) issued a statement condemning Denmark’s Aliens Act which, among other things, allows Demark to relocate asylum seekers to countries outside the European Union while their cases are being processed.

The AU argues that this amounts to an abdication by Denmark of “…its international responsibility to provide asylum and protection to those that enter its territory…’’ More importantly, the AU says this is an “extension of the borders of such countries and an extension of their control to the African shores.””

This article takes a closer look at what this externalisation of asylum procedures by EU members states looks like in third countries located in Africa and eastern Europe. Specifically, it focuses on the introduction of biometric identity (ID) systems that are meant to assist in the management and control of borders, the return and reintegration of migrants, and other migration purposes.

The article closes off by putting forward a number of recommendations on possible ways to mitigate the risks associated with the adoption and roll out of biometric ID systems.

What is the EU doing and what are the recent developments?

The EU says that its migration policy is based on the principles of partnership, shared responsibility, and solidarity with third countries which migrants transit through on their way into Europe. However, EU migration policy is contradictory and potentially leads to violations of fundamental rights in third countries.

A New Pact on Migration

In September 2020, the EU presented its ‘New Pact on Migration and Asylum’ (the New Pact). This new migration management strategy sought among other things, to provide “…a humane and effective long-term response to the current challenges of irregular migration, developing legal migration pathways, better integrating refugees and other newcomers, and deepening migration partnerships with countries of origin and transit for mutual benefit.”

Under the New Pact, the European Commission proposed multiple new regulations and amendments to existing regulations, as well as other recommendations. Each of these amendments and recommendations makes their way into law separately, making the Pact a kind of strategy document outlining various policies in parallel.

One consequence of the New Pact is the recasting of the Eurodac Regulation, the key Regulation which established the EU’s asylum fingerprint database system. The New Pact extends the scope of the current Regulation to wider migration purposes.

Specifically, it is to allow member states to also monitor the secondary movements of irregular migrants who have not sought asylum and to use that information to help facilitate re-documentation and deportations.

According to the EU, the New Pact “paves the way towards a common EU system for returns (deportations)..” The same statement goes on to say that the current hurdles to deportations lie within the EU member states . As a result, the New Pact will be a first step towards the appointment of a European Return Coordinator, who will work closely with the European Border and Coast Guard Agency (Frontex), and will assist in the harmonisation of national legislation across EU member states on deportations.

Its all about deportations

Changes to Eurodac include an expansion of the scope of the system and to open the system’s fingerprint database to access by national law enforcement authorities and Europol. In addition to the above, the EU’s cross border IT agency, eu-LISA, is working on a Central Identity Repository (CIR) which is “designed to hold the records of 300 million people and will be the centerpiece of a new, integrated system that allows police forces across the EU to search and cross-check the records of immigrants and visitors from outside Europe.” The project is based in Tallinn, Estonia and is expected to be completed in 2023 at an estimated cost of US$190 million.

Opening up migration databases to use by national law enforcement authorities is highly concerning because it will allow law enforcement officers across Europe to conduct biometric checks of people they think might not have secure immigration status. This will ultimately reinforce the overpolicing of groups such as racial minorities.

A focus on identifying and deporting irregular migrants can also be found in the EU Partnership Agreement between The European Union and its member states and members of the Organisation of African, Caribbean and Pacific States, signed in April 2021. It calls upon the parties to “cooperate to improve and modernise civil registration systems and to issue biometric travel documents…”

The Agreement also stipulates that parties shall cooperate on identifying people without documents who are to be deported, calling on parties to “proceed with the necessary verification immediately” when requested to do so, as well as consulting biometric registries in order to do so.

This Agreement follows the Joint Valetta Action Plan, which also seeks to promote the use of civil registration systems in third countries for migration control. This includes conversations around building capacity for biometric systems for migrants returned to their countries of origin.

The New Pact, Eurodac Regulation, Partnership Agreement or the Joint Valetta Action Plan do not warn against or discourage the rollout of biometric ID systems in countries with inadequate national legal frameworks.

Neither of these policy blueprints mandate sufficient protections against potential abuses, such as the carrying out of preliminary human rights impact assessments to determine whether the introduction of a biometric ID system is necessary and proportionate or how that ID system will influence the enjoyment of fundamental rights.

Country examples

A direct outcome of the Joint Valetta Action Plan, the European Union Emergency Trust Fund for Africa is used to fund biometric ID systems, particuarly the modernisation of civil registries, for example in Cote d’Ivoire, Senegal and Niger.

Despite not having direct access to the data in such systems, they can still be used in pursuit of EU migration policies and deportations. In Niger, for example, Article 36 of the 2015-036 law in Niger, which criminalises human trafficking and was passed at the EU’s request, stipulates that if a foreign state authority (such as one in the EU) requests the verification of the authenticity or validity of travel or identity documents believed to have been issued in Niger, the Nigerien authorities are obliged to provide relevant information to them.

It is argued that the roll out of new security architecture for migration management in regions such as the Sahel turn poor and weak states such as Niger into agents of the externalised European border.

In 2018, the European Investment Bank - the lending arm of the EU - granted Nigeria a loan for the development of digital identity (eID) infrastructure in Nigeria and the supply of a biometric identity to all Nigerian citizens. This project would attempt to reduce migration by providing a platform for economic development and poverty reduction. This programme also received support from the World Bank.

Similarly, in the Balkans, the EU has provided fingerprinting devices to authorities in Bosnia and Herzegovina and has provided funds to Frontex to upgrade the IT systems of the Western Balkans countries with a view to making them “interoperable” with EU border and migration databases.

What are the concerns with these kinds of ID systems?

The databases are established under the guise of civil registration when they are actually motivated by the need to more easily facilitate deportations or otherwise "manage" migration. That said, digital identity systems are problematic because they have the potential to exclude, surveille and exploit people especially when such systems are rolled out without fully assessing the consequences.

More specifically, biometric data can easily be subjected to re-purposing. Whilst originally it may have been gathered for migration control purposes, it may later be used for law enforcement purposes. This phenomenon is known as “mission creep”. The merging of protection and law enforcement purposes at the expense of the former is also gaining traction in several jurisdictions.

If data like photographs are collected in the enrolment or data collection of an ID scheme, even if it is not immediately used for purposes like facial recognition, the existence of the dataset means that it can be used for such in the future, as in the case of India adding facial recognition to its biometric systems.

Biometric ID systems must take into account the risk of biometric failure. Sometimes, biometric systems fail to recognise the biometrics of an individual. This can be a result of issues like the fading of fingerprints (the elderly and manual workers being particularly at risk) or cataracts affecting iris scans.

The consequences of this can be severe: for example, failing to get access to benefits to which an individual is entitled. This is not an abstract concern. There are already reports that this has led to starvation deaths in India. It is essential that strong, and usable, mechanisms are in place in the case of biometric failure.

Biometric databases on which ID information is stored are hard to keep secure and protected from security and data breaches. Countries such as India,, South Korea and the Philippines have experienced extensive security and data breaches that led to the leaking of biometric ID information belonging to millions of individuals in those respective countries.

In Afghanistan, biometric databases established over the past two decades by the then Afghani government and its allies have fallen into the hands of the Taliban. Several reports indicate that the Taliban is now using the information from these biometric databases to identify and track persons that worked with or for the US military and its allies.

Recommendations to Mitigate the Risks of Biometric ID Systems

Biometric ID systems should only be introduced after a legitimate, evidence-based analysis of impacts, risks and benefits of such systems has been carried out. These audits and/or evaluations must be considered in light of alternative, less intrusive methods that may be adopted to solve a problem, in this instance irregular migration.

Data protection concerns are one area of concern when thinking about biometric ID systems. There is need to also weigh the impact and risks of such systems on broader rights and freedoms and ways to mitigate their impact.

What should the EU do instead?

The EU has a primary role to ensure that it does not promote the unnecessary introduction of ID systems in situations where other, less intrusive, methods of migration “management” are possible.

Instead, it should focus on the promotion and strengthening of democratisation and human rights protections. This can be achieved in part by strengthening laws or working with counterparts to introduce new ones that set out clear guidelines within which the government authorities may conduct surveillance activities.

In addition, EU authorities must work with partners to revise existing privacy and data protection legal frameworks, or where there is none developing new ones, that regulate surveillance by police and intelligence agencies. These should be aimed at ensuring they are robust, effectively implemented, and provide adequate redress for individuals.

In those instances where a proper evaluation process has shown the necessity of biometric ID systems, the EU must ensure that the ID system is supplied through a transparent procurement process. It is important that procurement of biometric ID systems and services is not always confined to one particular vendor.

It is important to consider factors beyond compliance that look at how companies inform/influence the system design and implementation of biometric ID systems. This will ensure that the use of identity systems for commercial/financial and exploitative purposes.

The EU also has a role to play in supporting the ongoing process of introducing and maintaining checks and balances that guard against the abuse of biometric ID systems.

What should governments in African countries do?

African states must provide all migrants with proof of legal identity and adequate documentation as a way to empower them to effectively exercise their human rights. This may be in the form of passports and not necessarily ID cards.

The introduction of any proposed ID scheme must go through a legislative process and be scrutinised through open consultation which legitimately considers the submissions made by civil society organisations, as well as members of the public.

In instances where ID systems are introduced, there must be a use of check and balances. These involve the introduction of relevant legal frameworks to support the roll out of the ID system, for example, laws that place constitutional limits on surveillance activities and a human rights due diligence framework.

Checks and balances are an ongoing process that require, but not limited to, regular cost reviews, data and security audits, human rights risk and impact assessments, equality and accessibility audits, redress mechanisms, regulatory reviews, and purpose limitation checks.

What should civil society in African countries demand?

Civil society in African countries must continue overseeing and input into these processes. Civil society should document the roll out of biometric ID systems that are introduced in order to promote better migration management and ensure it does not end up enabling state sponsored human rights violations

On the other hand, civil society has a duty to raise awareness and inform members of the public on the benefits and risks of biometric ID systems within their respective country contexts.

With the above in mind, civil society in African countries should demand legitimate audits and assessments that analyse the impact of potential ID systems. Civil society should push back against any unnecessary introduction of biometric ID systems no matter how good the cause they are advertised cause they are to be introduced under is.

What should companies do?

The Guiding Principles on Business and Human Rights along with Resolution 12/16 on The right to privacy in the digital age, state that business entities have an obligation to respect and promote human rights. This obligation means that due diligence must be given to issues relating to the protection and promotion of human rights. As such, business entities must not push governments to adopt technologies that may be used to unjustifiably infringe on rights such as the right to privacy.

Conclusion

The current model used by the EU and its member states to manage migration amounts to an externalisation of EU policy to third countries. In most instances, this is done without due regard for the effect this will have in the long term protection and enjoyment of fundamental rights in third countries. This is a cause for concern in those countries that lack adequate national legal frameworks. The absence of these frameworks makes it easier to repurpose biometric ID systems that are initially set up to control migration.

There is need to restructure the funding vehicles and projects funded by the EU to ensure that they strengthen local laws that promote the responsible use and reduce the harms of technologies introduced to control migration.

As well as EU authorities, African and other governments also have a crucial role to play in achieving this, as well as civil society actors in countries impacted by these externalisation policies which as ever are likely to be in the frontline of any abuses.