What you need to know about the EU’s new digital deportation regime

7–11 minutes

To read

On 17 June, the European Parliament approved the new EU’s deportation law (officially called the “Return” Regulation). The Deportation Regulation aims to track undocumented people down and deport them from the EU in large numbers. The most appalling of all the features of this new deportation system is the possibility for Member States to deport a person to a country they have never been to and detain them there indefinitely. More than 200 organisations petitioned against the legislative proposal, denouncing the new rules for what they are: inhumane.

The Regulation also boosts the surveillance powers and digital control of national authorities. Deportations rely heavily on technologies and data collection in their enforcement. At every step of the process, digital tools are used: to arrest and identify undocumented people, to detain them and restrict their movements, as well as to enforce deportation decisions.

The use of technologies severely undermine the digital and fundamental rights of people affected by this new regime, from data protection to asylum, dignity and liberty. The Deportation Regulation shows how migration and border control continue to serve as technological testing grounds for the EU and its Member States. They progressively but steadily widen the regime of exception at the core of the European data protection legal framework, and by doing so, irremediably undermine everyone’s fundamental rights.


Surveillance, intrusion and racial profiling (Article 23a)

The new deportation regime creates “obligations” on people without a valid residence or travel permit “to leave and cooperate”. To “promote” deportations and facilitate their identification, national authorities are authorised to take investigative measures, such as conducting home raids and searching any other “relevant premises” such as community centres, workplaces, hospitals, etc., force the collection of biometric data and search and seize personal belongings, electronic devices and “other items of relevance” – in other words literally anything from anyone. Further investigative measures defined under national law can also be deployed, which gives Member States a wide margin of discretion to introduce far-reaching ones.

Such practices codify the criminalisation of migrants and are disproportionate for migration management purposes. First, police raids without the requirement of independent judicial control in all EU countries will tarnish all places considered safe today and instill fear and insecurity among migrant communities and those providing services and support to them.

Second, coercion to collect biometric data, allegedly “as a last resort”, constitutes a grave infringement on the fundamental rights to dignity, integrity, liberty and security as it incentives the use of violence, punishment and detention. A 2018 report by Médecins du Monde showcased recurrent degrading treatments by Belgian police forces, sometimes amounting to torture (confinement in underwear in “freezer-cells”, blackmail, physical violence, etc.), against migrants in response to their refusal to give their fingerprints. The new provision allowing coercion is nothing less than a laissez-passer for further physical and psychological abuses.

Third, the search and seizure of electronic devices is extremely intrusive and manifestly disproportionate. Phone data extraction in particular can lead to the wide collection of sensitive data including data that is not necessarily relevant to the administrative procedure. In Germany, the Federal Administrative Court declared the Federal Office for Migration and Refugees’ (BAMF Migration Office) routine practice of searching asylum seekers’ mobile phones without cause unlawful. Seizing devices also encourages the procurement and use of hacking tools to bypass their security systems (pass-codes, PIN numbers, etc.), like Israeli company Cellebrite’s UFED (Universal Forensics Extraction Device), which can extract data even from locked smartphones in certain cases. In 2019, Cellebrite marketed itself towards governments as the solution to identify asylum-seekers without documents.

The text specifies that any of those measures can be enforced without the affected person’s consent, but should respect fundamental rights and be subject to safeguards and remedies under EU and national law. This vaguely defined requirement will likely remain a dead letter and, in any case, useless in face of the increased abuses, discrimination and hostility against migrants the law otherwise permits.

Moreover there is no doubt that these measures will reinforce racial profiling in daily law enforcement practice, since skin color and ethnicity are systematically used as proxies by police and immigration officers to assume people’s nationality or migration status. People of color living or traveling through the EU will be even more frequently stopped and searched than they already are and subjected to these measures even as they seek life-saving services and community connection.


Opaque and arbitrary deportation decisions (Article 16)

In general, the deportations process has become increasingly opaque. Deportation orders no longer have to include a “country of return” when issued, people can be deported to countries they have never set foot in, and national authorities are encouraged to take a “deportations first” approach to rejected asylum claims without considering alternative pathways to regularisation. In combination with a degraded and externalised appeals process, the offshoring of Europe’s so-called “migration crisis” is complete – leaving irregular migrants with little recourse to justice, and even less access to legal assistance and community support.

But perhaps most Orwellian development is the “security risk flag” that will be added to peoples’ profiles on the Schengen Information System. A simple alert is enough to ensure indefinite detention or deportation and is based on an incredibly liberal interpretation of what actually constitutes a “security risk”. Having committed a crime is not necessary; simply intending to is enough, based on nothing more than “reasonable indications” (read: racialised suspicion, profiling, stereotyping, etc.).

Once flagged, entry bans can be permanent. Under detention, security-flagged individuals could be subject to stricter confinement and supervision, and indefinitely detained.

Aside from the material consequences, what this arbitrary designation will do is create a climate of fear, surveillance, and further cement Europe’s punitive and dehumanising migration policies.


Tech-enabled detention (Articles 17, 23c and 29)

Detention is a key feature of the EU’s deportation regime and will increase incarceration rates, especially as the grounds for detention are numerous and very broad. Here again, technologies are exploited in order to control and restrict movements.

The EU has already funded prison-like facilities for detaining migrants such as “Closed and Controlled Access Centers” in Greece. These modern instances of the surveillance panopticon are equipped with cameras, drones, motion-sensors and fingerprint-access models. It is expected that such tech-facilitated detention centers will soon mushroom everywhere, whether inside the EU or in the newly designated “countries of return”.

If not physically detained, Member States are allowed to use electronic monitoring on people as an “alternative to detention”. Studies have shown the severe impacts fingerprint scans or GPS tags have on people’s mental and physical well-being, due to their pervasive nature and resulting high levels of anxiety and stress. While considered less restrictive, these techniques effectively constitute “mental prisons” and the new legislation supports their uptake in all EU countries, expanding and normalising state surveillance.


Data sharing with third countries, airlines and medical providers (Articles 39 and 40)

National authorities and Frontex are authorised to share a wide range of data with third countries, airlines and medical providers to enforce deportation decisions, including identity, biometric data, nationality, languages, travel documents and history, residence and visa status, grounds for deportation and health data. In addition, they may also share information on criminal convictions with third countries’ authorities.

This data transfer framework is particularly concerning from a data protection perspective as it lacks crucial oversight or redress mechanisms for the individuals concerned. In particular, it recklessly

trusts that the competent authority or Frontex have carried out the necessary checks that the data transfer does not risk breaching the principles of non-refoulement and of ne bis in idem (Right not to be tried or punished twice in criminal proceedings). The last version of the text deleted the right to be informed for people whose data was shared to third parties, which is a huge impediment to seek redress in case of illegal transfers and render their right to access effective remedies meaningless. Lastly, the requirement to document data transfers for the purpose of supervision and legality checks by European data protection authorities was also watered down in the last round of negotiations.


The steady building of Digital Fortress Europe

The European Commission has accurately described the Deportation Regulation as the natural follow-up to the Migration and Asylum Pact of 2020, the missing cog in the EU’s machinery of control and punishment. The Facilitation Directive – currently under negotiation – attempts to criminalise migrants even further, and targets solidarity organisations along the way.

The ensemble of these laws is constructing an increasingly fascist digital and physical infrastructure to systematically criminalise, surveil, detain and deport.

Yet another review of Europol (the third in six years) was announced on 24 June, confirming a new budget of €3 billion to turn the EU’s police agency into a “technology and innovation hub”, complete with a new Europe-wide Police Shared Data Space. The proposal dangerously erodes privacy, automates surveillance, and sidelines oversight.

A Frontex mandate review is expected in September this year, providing €12 billion to the agency’s purse and untold powers to top it all off. There is already confirmation that the ultra-controversial agency will become able to deport people between non-EU countries, taking its mission global.

Meanwhile, the EU continues its goal of fully digitising their deportation regime. The upcoming proposal for the “Digitalisation of Case Management” – also expected in September – will seek to speed up and automate“returns and readmissions” processes by boosting data sharing, establishing further databases interconnection and imposing minimum levels of digitalisation. This will fulfill the Deportation Regulation’s obligation to establish a new EU-wide deportations database to facilitate data-sharing and streamline deportations. It will also operationalise “mutual recognition” – a new concept adopted in the Regulation that obliges Member States to uphold each others’ deportation orders when a person moves from one Member State to another.

The European Commission’s proposal for the next EU budget has therefore been correctly dubbed a “fortress budget.” Increasing amounts of money and resources are being funneled into the militarisation of our borders and cities. Social protection is barely an afterthought, and the EU’s best legal minds fight to circumvent fundamental rights obligations and flout international human rights law as much as possible.

But more criminalisation, surveillance and punishment only brings Europe closer to increasingly authoritarian and fascist practices. EU funds must be diverted from murderous agencies like Frontex and the necropolitics of the bloc’s migration policies, Instead, public money should be spent on ensuring care and protection, from safe routes and welcome capacities to education, healthcare and social housing.