A. Introduction
Much ink has been spilled on the need for cooperation among public administrations in the European Union (EU) in order to face the emerging challenges of the material application of EU law, to the extent that such cooperation has become the “backbone of the EU’s unique system of government and governance.”Footnote 1 The principle of administrative cooperation, constitutionalized in Article 4(3) of the Treaty on the European Union (TEU) and Article 197 of the Treaty on the Functioning of the European Union (TFEU), entails that national administrations are increasingly required to interact with one another in various ways.Footnote 2 In most EU policy areas, the procedural cooperation between national administrations materializes through the shared implementation of “composite” decision-making proceduresFootnote 3—facilitated by the operation of multijurisdictional networksFootnote 4—or through extensive horizontal or vertical information exchanges.Footnote 5 To that end, domestic authorities may be required to collect, generate, and transfer information to their counterparts in other Member States as preparatory measures to decision-making and enforcement activities. On the basis of such information, Member States—or even EU bodies and institutions—may adopt acts or take decisions.
The architecture of information networks has been developed in a policy-specific fashion and asylum policy follows that path, albeit with its own intricacies. The purpose of Article 78(2) TFEU is to develop a “common European asylum system” (CEAS), which has led to the elaboration of different legislative harmonization measures concerning the definition of who qualifies as a refugee or a beneficiary of subsidiary protection,Footnote 6 common procedures for the examination of asylum claims,Footnote 7 and reception conditions that should be afforded to asylum seekers during the examination of their claims.Footnote 8 At present, the centerpiece of the CEAS is the Dublin III Regulation,Footnote 9 an assignation mechanism to identify the Member State responsible for examining a specific asylum claim through an array of hierarchical criteria. It is in the distribution of asylum seekers, in accordance with the responsibility-allocation scheme, that administrative cooperation in the form of information sharing is necessary. Such information sharing takes place through two main avenues. First, an EU-wide centralized information system called Eurodac has been set up precisely to assist Member States in assigning each asylum seeker to the responsible Member State through the joint gathering of information.Footnote 10 Second, the Dublin III Regulation itself, in particular Article 34, organizes the manner in which further information sharing may take place, in order to determine the responsible Member State or to arrange the transfer of an asylum applicant.
In a complex area of multi-layered actorness, the availability of effective remedies either ex-post—judicial review—or throughout the process—administrative review—is crucial to ensure the protection of individual rights and accountability in the exercise of public powers.Footnote 11 The existence and effectiveness of remedies at the disposal of asylum seekers has attracted scholarly attention, albeit the emphasis has been either on other CEAS legal instruments or, where the Dublin system is scrutinized, on the application of the hierarchical allocation criteria.Footnote 12 Thus, the rules on information sharing have so far been off the academic radar. As a result, the question of whether the Dublin system ensures effective judicial and administrative remedies in the operationalization of multijurisdictional information networks has not been addressed.
This Article aims at filling this gap in the literature by analyzing the relevant Eurodac and Dublin-related legislation, national implementation, and national case law through the lens of administrative cooperation. To that end, the next section provides a concise synopsis of the Dublin III Regulation to lay the foundation for the subsequent analysis. Then, this Article explores the case of Eurodac in relation to the availability and effectiveness of remedies for asylum seekers, both extrajudicial and judicial. The following section is devoted to the challenges of the rules of the Dublin III Regulation concerning administrative cooperation, in the form of information exchange for the right to an effective remedy, as enshrined in Article 47 of the EU Charter of Fundamental Rights (Charter). The assumption that the data exchanged has been acquired and processed lawfully, due to interstate trust, and the extent to which that assumption is rebuttable are central themes throughout this Article. It is argued that administrative cooperation through information sharing takes precedence over the right to an effective remedy and that, in practice, judicial and extrajudicial remedies are insufficient to protect asylum seekers. This Article concludes with a summary of the main findings.
B. The Dublin System: A Sketch
The ongoing harmonization of national rules on asylum procedure, as aforementioned, does not signify that asylum applications in the EU are examined through a common asylum procedure or that there is a uniform status for those granted asylum within the EU.Footnote 13 Asylum applications are still examined by individual Member States following a national asylum procedure and result in national refugee status. Without centralization, national systems are meant to interact with each other to govern asylum flows and allocate responsibility for asylum seekers through the so-called Dublin system.
The Dublin system was initially established through the 1990 Dublin Convention,Footnote 14 outside the EU framework. The Convention was signed as a corollary to the abolition of intra-Member State border controls and the need for a coordinated response to the increasing logistical demands which the operation of the asylum system placed upon Member States. In particular, it aimed at providing a clear set of common rules to determine which Member State would be responsible for examining an asylum application—in cases of potentially overlapping asylum claims in different countries—as a result of the phenomena of “refugees in orbit”Footnote 15 and “forum shopping.”Footnote 16
The Convention has been amended twice and—at the time of writing the Dublin III Regulation is in forceFootnote 17 allocates responsibility within the CEAS, all the while introducing and reinforcing substantive individual rights and procedural safeguards. The regulation is premised on the “single application” principle, according to which an application must be heard by a single Member State.Footnote 18 To determine which Member State is responsible for examining each application, the regulation prescribes an allocation mechanism comprising a hierarchy of criteria.Footnote 19 Such criteria include the existence of a family member of the applicant who is a recognized refugee or an asylum applicant in another Member State,Footnote 20 whether a certain Member State has issued the applicant with a residence permit or a visa,Footnote 21 and the rule that the responsible party will be the Member State from where the asylum seeker first entered the EU.Footnote 22 In practice, the “first country of entry” rule is the main criterion used by Member States’ authorities. Guild has observed that the responsibility for examining an asylum claim has thus been treated “as a burden and a punishment for the Member State which permitted the individual to arrive in the Union.”Footnote 23 Where asylum seekers are present in the territory of a Member State other than the responsible Member State, they are to be transferred to the latter, unless limited exceptions apply.Footnote 24 Transfers are to take place either because the asylum seeker has first applied to the responsible Member State—a “take back” requestFootnote 25—or because the asylum seeker ought to have applied there—a “take charge” requestFootnote 26—but unauthorized secondary movement took place.
A wealth of academic commentators have criticized how the Dublin system creates an asymmetrical burden and is largely unconcerned with fair sharing of responsibility among the Member States, as that responsibility is largely dependent upon the geographical locus of each State.Footnote 27 Another line of authors view the Dublin system as embodying the principle of negative mutual recognition and the introduction of automaticity among Member States. Indeed, the occurrence of one of the Dublin criteria creates a duty for one Member State to “take charge” or “take back” an asylum seeker and thus recognize the refusal of another Member State—which transfers the asylum seeker in question—to examine the asylum application.Footnote 28 Transfers in that context are based on interstate mutual trust, under the presumption that the receiving state provides an equivalent level of human rights protection to asylum seekers as the sending state.Footnote 29
From an administrative law standpoint, the determination of the responsible Member State requires intense horizontal transnational cooperation among national administrations to track down the possible intervention of another jurisdiction. The national administrations involved may not organically belong to the same unit, directory, or even legal system. For instance, to determine whether a Member State has issued a Schengen (short-stay) visa to an asylum seeker, national administrations may consult the designated Schengen-wide centralized information system—the Visa Information System (VIS)—to check whether a record therein exists, indicating the issuance of a visa by another administrative authority.Footnote 30 To that end, the Dublin system embraces various procedures of administrative cooperation for its functioning, which at least partly encompass composite elements. A single administrative decision on the territorial belonging of an asylum applicant and their consequent transfer to the responsible Member State may involve multiple jurisdictions and be grounded on the input by national administrations which interact and/or cooperate via established information networks. The processing of information in this context is crucial in view of the abovementioned principles of “single application” and mutual recognition. A prime example of an advanced form of composite information management is Eurodac, a Europe-wideFootnote 31 centralized information system which has been established as a support tool of the Dublin system to determine whether a Member State is responsible for the presence of an asylum applicant.
C. The Eurodac Database: The Digital Sidekick of the Dublin System
Eurodac (European Dactyloscopic System) constitutes an integral, yet relatively under-explored component of the CEAS.Footnote 32 It forms part of an elaborate network of Europe-wide centralized information systems that process various categories of personal data collected from different categories of third-country nationals. Eurodac functions alongside two other operational information systems—namely the Schengen Information System (SIS)Footnote 33 and the VISFootnote 34—all of which are managed by eu-LISA, the EU agency for the operational management of large-scale information systems.Footnote 35
I. The Recast Eurodac Regulation in a Nutshell
Already in the early stages of Dublin cooperation, discussions revolved around the possibility of setting up a European system to compare the dactyloscopic data of asylum seekersFootnote 36 with the underlying aim of tracking possible onward movements of asylum seekers in other Member States and preventing abuse of the system by the submission of several applications for asylum by one person. Eurodac was established via Regulation 2725/2000Footnote 37 and complemented by Regulation 407/2002.Footnote 38 The Eurodac rules were recast in 2013, primarily to add the use of Eurodac fingerprints for the prevention, detection, and investigation of terrorist offenses and other serious crimes as an ancillary purpose of the system.Footnote 39 That said, at the time of writing, the primary objective of Eurodac is to support the implementation of the Dublin system. As a response to the so-called “refugee crisis,” a recast Eurodac proposal was adopted in 2016 to reconfigure the system as a tool for wider migration purposes.Footnote 40 On September 23, 2020, a revised Eurodac proposalFootnote 41 was adopted in the framework of the New Pact for Migration and Asylum,Footnote 42 proposing that Eurodac would serve asylum, resettlement, and irregular migration purposes.Footnote 43
Despite its reconfigurations, Eurodac has been intrinsically linked to the allocation of the Member State responsible for the examination of an application for international protection. Article 1 of the recast Eurodac Regulation stipulates that the purpose of the information system is:
[T]o assist in determining which Member State is to be responsible pursuant to Regulation (EU) No. 604/2013 for examining an application for international protection lodged in a Member State, and otherwise to facilitate the application of the Regulation (EU) No. 604/2013 under the conditions set out in this Regulation.Footnote 44
Eurodac requires Member States to promptly collect a full set of the fingerprints of every applicant for international protection over the age of fourteen.Footnote 45 The collected fingerprints are transmitted and stored in the Central System, a database managed by eu-LISA, where they are automatically compared with fingerprints that have already been transmitted and stored by other participating countries.Footnote 46 Eurodac is equipped with an Automated Fingerprint Identification System (AFIS) and functions on a hit/no hit basis; in case of a match, a notification is given.Footnote 47 Furthermore, Member States are under the obligation to collect the fingerprints of all third-country nationals apprehended “in connection with the irregular crossing by land, sea or air” of the Member State and transmit them to the Central System for comparison against fingerprints that will subsequently be collected from asylum seekers.Footnote 48 This is to ensure that persons who were apprehended irregularly crossing the EU external border and subsequently apply for international protection in another Member State could be allocated to the responsible Member States in accordance with the “first country of entry” rule. A third category of third-country nationals whose fingerprints are collected includes “persons found illegally staying in a Member State.”Footnote 49 Nevertheless, for now, neither are Member States obliged to undertake the procedure nor is the data centrally stored.Footnote 50 Overall, fingerprinting—in relation to both of these categories of third-country nationals—is meant to assist in determining whether the individual in question has first entered through a specific Member State, so as to enforce the Dublin rules. If a Eurodac check reveals that the fingerprints were already recorded in another Member State—a “hit”—it will establish whether the applicant has already lodged an application for international protection in that other Member State, or whether the applicant has irregularly transited through that other Member State. Consequently, the latter Member State may be requested to take back or charge the asylum applicant, in accordance with the Dublin III Regulation.Footnote 51
Apart from a full set of fingerprints, Eurodac stores limited information on the sex of asylum seekers and irregular border crossers, the date of registration and transmission of fingerprints to the Central Unit, and the Member State of origin.Footnote 52 Details on the person’s name, nationality, or date of birth—as well as other information, such as special needs or occupation—are not included, but are collected and processed by national authorities in accordance with their domestic legislation. When there is a hit, the data is transferred through the DubliNet system, an electronic communication network set-up under Article 18 of the Dublin III Regulation, enabling information sharing between the national authorities dealing with asylum applications. The two involved Member States may exchange personal data—other than the limited data set stored in Eurodac through DubliNet, in accordance with Article 34 of the Dublin III Regulation—which is analyzed below.Footnote 53 As a result, although Eurodac fingerprinting does not determine the identity of a person per se, it contributes to their identification. A link may be established between an asylum applicant and a past Eurodac entry, which is verifiable through information sharing between the state that conducts the check and the state of past Eurodac entry.Footnote 54 Furthermore, Article 1(3) of the recast Eurodac Regulation allows the Member State of origin to cross-check the Eurodac fingerprints against other databases established under national law, thus leading to the identification of the person. As a result, Eurodac operates as a de facto quasi-identification tool, though strictly speaking at the time of writing, identification does not feature among the objectives of the system. However, Article 1(1)(e) of the amended Eurodac proposal prescribes that the system will assist in the correct identification of persons registered.
II. Presumptions and Trust in a Digitalized Environment
From an operational perspective, Eurodac constitutes the first experiment of the EU with biometric identifiers—specifically fingerprints—and the largest multijurisdictional information system worldwide, functioning in thirty-two European countries.Footnote 55 According to the latest statistics, in 2019, Member States successfully transmitted a total of 916,577 sets of fingerprints.Footnote 56 As the authorities participating in Eurodac are granted direct information access to stored data for all participating authorities, the system establishes a high level of information integration and constitutes an example of the most advanced form of information sharing.Footnote 57 By organizing the joint gathering of information by Member States, Eurodac constitutes a prime example of a composite procedure, whereby the administrative procedure of allocating the responsible Member State in accordance with the Dublin rules is supported by information transferred to it by other Member States—horizontal cooperation—and assisted by an EU agency, eu-LISA—vertical cooperation.Footnote 58
Eurodac functions as the necessary corollary of the Dublin system. The latter cannot run smoothly unless Member States can reliably verify whether a person has already applied for international protection or was apprehended in connection with the irregular crossing of an external border in another participating State. In case of a hit, the administrative authorities presume that at the time when the Eurodac record was inserted, the individual in question either filed an asylum claim or was an irregular migrant—and thus the responsibility for the applicant lies with another Member State. This presumption is based on the existence of a technology-based trust that operates on two levels. First, there exists interstate trust among national administrations that the fingerprints are lawfully and carefully collected and transmitted, the rights of the fingerprinted third-country nationals are safeguarded, and the record entered in Eurodac is accurate, of high quality, up-to-date, and compliant with the rights to dignity,Footnote 59 respect for private life,Footnote 60 and personal data protection.Footnote 61 In addition, Eurodac exemplifies trust among Member States in overseeing the external borders of the EU by zealously fingerprinting irregular entrants. Second, interstate trust in procedures is facilitated by trust in technology and the belief that biometric identifiers, including fingerprints, along with their centralized storage are trustworthy advents. As a result, the existence of Eurodac allows trust to build among participating States. Eurodac is simultaneously a result of and a tool for fostering interstate trust in the CEAS. Undoubtedly, biometric identifiers have been heralded as revolutionary tools that present a series of attractive characteristics due to their universality, distinctiveness, and permanence.Footnote 62 Their reliable nature has been confirmed by the Court of Justice of the European Union (CJEU) in Schwarz—concerning the inclusion of two fingerprints in EU biometric passports—with the CJEU holding that “the fact that the method is not wholly reliable is not decisive.”Footnote 63 Article 22 of the Dublin III Regulation, as elaborated in Commission Implementing Regulation 118/2014,Footnote 64 distinguishes between probative and circumstantial evidence of a Member State’s responsibility, with Eurodac hits falling within the former category. The reliability of fingerprint identification is further manifested in the practical implementation of the Dublin rules, whereby a Eurodac hit constitutes the primary proof on the basis of which a Dublin transfer may occur.Footnote 65 Crucially, some Member States, particularly those who receive take back requests, only accept Eurodac hits.Footnote 66
Scratching below the surface of a seemingly seamless system, trust—both interstate and to modern technologies—is not a bed of roses. First, particularly since 2015—when refugees and migrants entered the EU en masse—it has been reported that in certain Member States, failure to comply with their Eurodac obligations—particularly in relation to the obligation to transmit the relevant data to the Central System within seventy-two hours—became a frequent phenomenon attributed to infrastructure deficiencies or the unwillingness of State authorities to take responsibility for asylum seekers.Footnote 67 Failure to fingerprint was thus utilized by certain Member States as a means to protest the unfairness of the Dublin system and consequently to evade their responsibilities. These deficiencies persist to date. In its audit on EU information systems, the European Court of Auditors reported that fifteen countries exceeded the prescribed time limit. It gave—as an example—the case of Spain, in which the transmission of fingerprints to Eurodac may take up to thirty days, thus leaving a person apprehended during an irregular border crossing into Spain a significant amount of time to reach another Member State and apply for asylum there.Footnote 68 In that sense, Eurodac actually undermines trust among Member States. Second, biometric identifiers constitute a special category of personal data under the General Data Protection Regulation (GDPR), thus requiring increased safeguards.Footnote 69 Third, the untested belief of the fallibility of biometric identifiers has been questioned by numerical evidence. It has been reported that 16% of inquiries in Eurodac resulted in a hit. In 10% of those cases, the biographic data was found to be inadequate, and in 4.5% of cases, the quality of the fingerprint acquired was too weak.Footnote 70 Overall, 28,195 data sets were rejected by the Central System due to insufficient quality.Footnote 71 This is not surprising, as much ink has been spilled on the data quality issues experienced in information systems, including Eurodac—due to spelling errors, lack of documentation, insufficient language skills, technical deficiencies, incorrect transcription of names into the Latin alphabet, recording of birth dates when the precise date is unknown, or lack of training.Footnote 72 Fourth, Member States have reported challenges when multiple Eurodac hits have been available, thus cancelling the probative nature of the hit. In certain cases, the lack of trust between Member States preexists and a hit may not result in a transfer, as certain Member States assume responsibility in accordance with Article 7 of the Dublin III Regulation.Footnote 73 Finally, despite the aforementioned challenges, reliance on modern technologies has led—in certain cases—to the prioritization of a Eurodac check over the investigation of family ties, thus jeopardizing the hierarchy of the Dublin criteria.Footnote 74
In light of the above, a question emerges: In an era of trust in modern technologies and administrative cooperation, what remedies are available for asylum seekers when their personal information is collected and further processed? The existence and effectiveness of such remedies are crucial in view of the adverse consequences that unlawful information sharing may have on their status; they may face transfer to another Member State, which may have very diverse refugee recognition rates.Footnote 75 There exists a two-tier remedy system for individuals whose fingerprints are processed in Eurodac: Extrajudicial, via recourse to national data protection authorities as the supervisory authorities of Eurodac, and judicial, by bringing an action before national courts. The following sections discuss these remedies in turn.
III. Extrajudicial Remedies: Of Administrative Supervision and Individual Rights
The development of nonjudicial, administrative remedies as a means of resolving disputes concerning information processing without the intervention of a national court has been fostered since the inception of EU data protection law.Footnote 76 The focal points are the national data protection authorities (DPAs), which—according to Article 8(3) of the Charter and Article 16 TFEU—ensure compliance with data protection rules. Rules on the extrajudicial remedies in connection to Eurodac are found in the GDPR, which constitutes the lex generalis, and the recast Eurodac Regulation—particularly Article 29—which is the lex specialis.
In particular, Article 77 of the GDPR prescribes the right of individuals to lodge a complaint with a DPA if they consider that the processing of their personal data infringes that regulation. The national data protection authority should inform the complaining individual about the progress and outcome of the complaint within a reasonable period, including the possibility of a judicial remedy.Footnote 77 Indeed, the role of national DPAs in supervising the lawfulness of the processing is crucial and an “essential correlate of the rule of law.”Footnote 78 It is all the more necessary in the case of Eurodac, which processes a special category of personal data—fingerprints—collected from a particularly vulnerable group of individuals.Footnote 79 The model opted for in the recast Eurodac Regulation—and all other EU centralized information systems, for that matter—consists of two independent tiers of external supervision.Footnote 80 On the one hand, the monitoring of the national authorities is entrusted to national DPAs.Footnote 81 On the other hand, the supervision of EU institutions, in casu eu-LISA, is bestowed on the European Data Protection Supervisor (EDPS).Footnote 82 The latter shall ensure that an audit of eu-LISA’s personal data processing activities is carried out at least every three years; a corresponding report should reach the European Parliament, Council, the Commission, eu-LISA, and the national data protection authorities.Footnote 83 Internally, eu-LISA is further supervised by its Data Protection Officer, who receives complaints concerning actions of eu-LISA affecting individuals.Footnote 84 As foreseen in Article 32 of the recast Eurodac Regulation, the two branches meet in the framework of the Eurodac Supervision Coordination Group, which comprises national DPAs and the EDPS and, thus, exemplifies vertical cooperation between national supervisory authorities and the EDPS.Footnote 85
Articles 29(14) and (15) of the recast Eurodac Regulation particularize the protection of Article 77 of the GDPR—guaranteeing the right to bring a complaint before competent authorities—in two cases: a) If asylum seekers are refused the right of access, or b) in order to exercise their rights of correction or deletion. These rights—access, correction, and erasure—along with the right to information,Footnote 86 constitute the key individual rights foreseen in data protection law and are enshrined in the recast Eurodac Regulation.Footnote 87 Individual rights derive from the right to good administration, a general principle of EU law that binds EU institutions and bodies—as well as Member States—in all procedures, including procedures for granting protection.Footnote 88 They are also in line with the principle of transparency, as enshrined in Article 5(1) of the GDPR.Footnote 89 In fact, the individual rights of access and correction are also foreseen in Article 8 of the Charter. Particularly, the right to access is an integral part of the right to an effective remedy, as protected under Article 13 of the European Convention on Human Rights (ECHR) and Article 47 of the Charter. The European Court of Human Rights (ECtHR) has found that a person needs to be able to challenge the data storage or to refute the truth of the information, including when it is stored for security purposes.Footnote 90 In addition to these individual rights, the recast Eurodac Regulation provides that any person who has suffered damage as a result of an unlawful processing operation or any act incompatible with the recast Eurodac Regulation is entitled to receive compensation from the Member State responsible for the damage suffered.Footnote 91 Claims of compensation against a Member State shall be governed by the provisions of national law of the defendant Member State.
Despite the existence of extrajudicial remedies, as outlined above, their effectiveness is highly questionable. First, national DPAs may receive complaints related to the rights of access, correction, and deletion, but not in connection with how applicants are informed about the purposes and processing of their personal data within Eurodac—where, as shown later in this section, there are practical implementation problems with asylum seekers not always receiving and/or comprehending the necessary information during fingerprinting. Second, though available information is scarce, practice shows that recourse to DPAs is very limited. The Eurodac Supervision Coordination Group reports that in the period from 2016–2017, the DPAs in only two participating States—IrelandFootnote 92 and the UKFootnote 93—received complaints.Footnote 94 In the 2014–2015 reporting period, Denmark was the sole Member State that received two complaints; but the Danish authorities were unable to get in touch with the applicants, who departed Denmark shortly after filing the complaints.Footnote 95 Though the primary focus of this Article is on horizontal cooperation, it is worth noting that the EDPS—who, as aforementioned, may receive complaints concerning the management of Eurodac by eu-LISA—has also received no complaint during these reporting periods. Prior to 2016, there is no available information.Footnote 96
The few complaints before national DPAs go hand in hand with the limited number of requests for the exercise of individual rights before national authorities. The great majority of Member States have not recorded any requests for access since July 2016. One Member State recorded six requests in 2016, fifty-five requests in 2017, and twenty requests in early 2018. Several Member States have records of two requests, and one has reported less than five.Footnote 97 According to eu-LISA, in 2015, eighty-nine requests for access were submitted. In 2016, the number rose to 156.Footnote 98 Only two Member States have received one request from a data subject to correct his or her personal data.Footnote 99 In light of the above, it cannot be reasonably expected that asylum seekers lodge complaints with national DPAs. If the exercise of their individual rights of access, correction, or deletion—which are prerequisites for a complaint—is very limited, how can they have recourse to the DPAs? The fish stinks from the head down.
The disappointing landscape may be attributed to three main reasons. First, asylum seekers may be prevented from lodging requests and complaints due to administrative obstacles and language barriers. In the case of asylum seekers, such hurdles may involve their persecution or conflict in their country of origin. For example, FRA refers to the case of an asylum seeker in Sweden who was not in a position to present a Syrian passport, which she had been requested to present as proof in order to carry out a correction.Footnote 100
Second, the provision of information to applicants about the purposes of Eurodac and their individual rights presents problems. Officers find it challenging to give information on all aspects of the data processing at the time of taking fingerprints. The right to information—pursuant to the recast Eurodac Regulation—includes the provision of information regarding the rights of access, correction, and deletion, as well as the right to receive information on the procedures for exercising those rights—including the contact details of the controller and the national supervisory authorities.Footnote 101 This results in people often being unaware of why they give their fingerprints and what happens to them. In that respect, the Eurodac Supervision Coordination Group notes that national authorities try to verify that asylum applicants are being asked to confirm whether they have understood the information with which they have been supplied.Footnote 102 However, some Member States do not use the model leaflets, in accordance with Article 29(3) of the recast Eurodac Regulation.Footnote 103 Although understanding the administrative procedures may be a common issue in relation to all information systems, asylum seekers face additional challenges. They may not be able to absorb data protection-related information as they may be preoccupied with more acute priorities—primarily, the need for protection.Footnote 104
Third, it is not just asylum applicants who may lack awareness. The limited pool of specialized lawyers and NGOs with expert knowledge on biometrics and data protection rules also plays a role. Legal professionals interviewed by FRA note the rarity of such cases coupled with the length of the process and the lack of available expertise in technical matters. However, a question emerges: Are the cases rare because there are no specialized legal professionals, or will the number of cases remain low even if there is expertise?Footnote 105 One can only speculate, but as awareness of the use of personal data by applicants grows and as more trained professionals become available for legal representation, the more likely it is that the “tools” offered by data protection legislation will be effectively used. Furthermore, if the more pressing needs for humane living conditions of asylum applicants are safeguarded, the more likely it is that they will consider other matters encroaching upon the protection of their fundamental rights, such as the processing of their personal data.
IV. Judicial Remedies: In-Between Limited Review and Interstate Trust
Lodging a complaint before a national supervisory authority is not an “effective remedy,” according to Article 47 of the Charter, as the intervention of a “tribunal” is necessary. The GDPR, as the lex generalis, confirms that the right to an effective judicial remedy must be provided in relation to decisions by the “controller” or the “processor” of personal dataFootnote 106—that is, the Member State(s) processing Eurodac data—as well as the supervisory authority.Footnote 107 Furthermore, apart from governing extrajudicial remedies, Articles 29(14) and (15) of the recast Eurodac Regulation ensure the right to an effective judicial remedy by guaranteeing the right to bring an action before the courts of the State in the same cases that were mentioned in the previous section: If individuals—whose data is processed in the system—are refused the right of access, or in order to exercise their rights of correction or deletion.
Legal scholars correctly point out that the traditional national system of judicial review is challenged in the case of cross-border composite procedures,Footnote 108 like Eurodac, primarily because the final administrative act under review is the result of the input of administrative actors of different Member States.Footnote 109 In addition, the factors listed in the previous section—affecting recourse to extrajudicial remedies—may equally affect judicial review. The paragraphs below elucidate examples of relevant case law by distinguishing between cases that dispute the accuracy of the Eurodac record and cases contesting the procedural aspects of Eurodac.
1. Disputing the Eurodac Record
In the early days of Eurodac cooperation, the reliability of a Eurodac match was disputed in two Tribunal cases in the UK. In YI, the Immigration Tribunal was asked to rule on how a Eurodac hit should be approached and assessed by an Immigration Judge, in a case where the matched data involved an asylum claim made in Italy at a time when the applicant in question claimed to have been undertaking military service in Eritrea from which he deserted.Footnote 110 Whereas the UK Home Office emphasized the sufficient reliability of fingerprint data, the Tribunal opined that the Immigration Judge was right in requiring as evidence more than a mere assertion of a match to prove that the fingerprint records established that the applicant had lodged a previous application in Italy. Thus, specific evidence is required, such as photographs, age, name, and claim details. Though the Tribunal did not contest the correctness of the Italian entry and refrained from commenting on the possibility of a false hit, it did opine that further evidence to confirm the existence of a match is needed. General evidence might also be properly admitted about the reliability of the Eurodac system and how it operates.Footnote 111 Crucial in the judgment was the fact that the fingerprint match was asserted via an email, with no further information and following a previous unsuccessful attempt.Footnote 112 The later case of RZ demonstrated that where more evidence is provided, it is extremely difficult to challenge the accuracy of the fingerprint evidence.Footnote 113 That case confirmed that fingerprint evidence may be challenged but rejected the claimant’s argument that a fingerprint match should be treated as an allegation of fraud, which would engage a higher standard of proof than the balance of probabilities. This finding contradicts the decision in YI, where it was opined that the standard of proof is the “proof to a high degree of probability” because the UK Home Office—in essence—accused the applicant of committing fraud.Footnote 114 Here, the fact that an identified match was validated through visual inspection by a fingerprint expert was key in finding that the Eurodac match was determinative.
The extent to which Eurodac records are wholly reliable has also emerged in France. In 2016, a Dublin transfer on the basis of a Eurodac match was disputed before the Administrative Tribunal of Nantes. The case involved a Cameroonian who, after having been subject to an expulsion order from Spain for having entered irregularly, applied for international protection in France.Footnote 115 The prefecture of Vendée ordered the transfer of the applicant to Spain, which had accepted the “take back” request. The Tribunal found that the prefecture had justified the transfer decision based on the applicant’s fingerprints being recorded in Eurodac, which established that he had previously filed an application for asylum in Spain. However, other documents in the file—including an interview carried out by the Spanish authorities—showed that he had in fact been apprehended for an irregular border crossing and had not filed an asylum claim in Spain. Therefore, the transfer decision was based on erroneous information and was thus quashed—also because the applicant’s personal circumstances were not examined. The wrongful categorization of the applicant’s situation as an asylum applicant, instead of an irregular entrant, had significant implications on the Dublin transfer as—pursuant to Dublin rules—the responsibility for examining the application for international protection ceases twelve months after the date on which the irregular border crossing took place.Footnote 116 In this case, the French court did not hesitate to expressly review the lawfulness of the applicant’s Eurodac registration by the Spanish authorities as an asylum seeker where he was, in fact, an irregular migrant. As the French authorities based their administrative decision to transfer on the mistaken categorization of the applicant by the Spanish authorities, the decision was ultimately challenged and annulled. By reviewing the Eurodac entry, the French court was able to quash the transfer decision.
In the Netherlands, on September 1, 2016, the Dutch Council of State (Raad van State) ruled on the declaration of an asylum application as inadmissible by the State Secretary and corresponding refusal to grant a temporary residence permit.Footnote 117 It did so because the asylum seeker in question already enjoyed international protection in Greece, as per the corresponding Eurodac record dated from January 2015.Footnote 118 However, the Eurodac search dated back to September 2015 and, as a result, the information extracted was not sufficiently recent when the case was heard in May 2016. The Council of State confirmed that the State Secretary may, in principle, rely on information from another Member State and only has a duty to verify the information under certain circumstances.Footnote 119 As the Greek authorities were obliged under Article 18(3) of the recast Eurodac Regulation to remove a Eurodac result when the status stated therein had been revoked and/or the foreign national had not substantiated that the Eurodac result was incorrect in his case, according to the Court, there were no such circumstances. Thus, the State Secretary was allowed to rely on the Eurodac result without further investigating the residence status of the foreign national in Greece. However, the Court contended that the time had elapsed because the search in Eurodac by the Dutch authorities should be minimal and that information needed to specify the residence rights of the applicant upon return. Lacking these elements, the Council of State ruled that the State Secretary was required to further investigate whether the applicant was still in possession of a valid residence permit or any other permission to reside, issued by the Member State in question. This is because Article 18(3) does not prescribe specific time limits for national authorities to update the relevant records in cases when the circumstances of an applicant have changed. Therefore, it could not be assumed that the information was updated. As a result, the presumption that the applicant would be granted a residence permit or any other form of permission to stay upon return to Greece was unjustified. The reasoning of the Dutch Council of State was based on the lacuna in the prescriptions of the recast Eurodac Regulation and must be interpreted as inserting an asterisk to the trustworthiness of data from other Member States. Although in principle there is interstate trust, the time elapsed since the check of the Eurodac record is crucial. Though the Council of State did not explicitly review the Eurodac record by the Greek authorities, as in the previous case, it did implicitly express doubts as to its accuracy and reliability. Accordingly, the Council of State referred the case back to the State of Secretary, mandating further investigation and requiring the administration to complete a more thorough investigation of individual cases.
More recently, in October 2019, the District Court of ‘s-Hertogenbosch released an interim judgmentFootnote 120 in a case involving a Ghanaian national who disputed the Eurodac hit—which was triggered due to prior lodging of claims in Italy and Switzerland—alleging, inter alia, that he had traveled through France. On the basis of the hit, his asylum application was not processed and a “take back” request had been accepted by the Italian authorities. The court was requested to impose an interim measure against the decision rejecting the asylum application and to allow the conduct of a counter-expertise investigation, which was originally denied by the Secretary of State. The Court disagreed on the basis of the principle of equality of arms,Footnote 121 opining that the applicant should be allowed to provide evidence to the contrary. The decision was based on a close reading of Article 22(3) of the Dublin III Regulation—in connection with Annex II, List A of Commission Implementing Regulation 118/2014Footnote 122—according to which a “take back” request is supported by proof or circumstantial evidence. Proof, which—as aforementioned—includes a Eurodac hit, is relevant “as long as there is not evidence to the contrary.”Footnote 123 From this, it was inferred that when using Eurodac, a third-country national must be able to provide evidence to the contrary and must be “allowed and enabled” to provide this through counter-expertise. Though the Court acknowledged that the Secretary of State may, in principle, rely on Eurodac data—under the assumption that the manner in which this registration was made has been careful—in the present case, the documents submitted by the applicant had not been examined at all and his statements had been discarded. As a result, based on the argument of “equality of arms,” the Court concluded that the applicant should be allowed to provide “evidence to the contrary” and forbade the State Secretary to transfer the person concerned to Italy—as long as the outcome of that investigation was unknown. Though the national court did not review the Eurodac record itself, it instructed the administration to investigate the matter without blindly trusting the information contained in the database. However, as Brouwer submits, it is unclear why the court did not directly refer to the right to effective remedies, which combines the safeguards of Articles 6 and 13 of the ECHR.Footnote 124 Based on that right, in Ghezelbash—which is discussed in detail below—the CJEU opined that the right of an asylum seeker encompasses the right to appeal against incorrect application of the Dublin criteria in a transfer decision.Footnote 125
Overall, the aforementioned judgments demonstrate the tension between trust in modern technologies and administrative procedures—fingerprint registration in Eurodac—taken place in other Member States, which may not be infallible, and the need to safeguard the fundamental rights of asylum seekers—particularly their right to an effective remedy. The existence of interstate trust at the administrative level is coupled with gaps in effective protection. As Eliantonio has pointed out, national courts are, in principle, competent to review only the acts emanating from the authorities falling within their jurisdiction.Footnote 126 As a result, national courts are not allowed to review the legality of measures issued by foreign national authorities. That said, the French case could be interpreted as an example of a national court directly reviewing the legality of the Spanish administrative act of inserting the record in Eurodac. In the other cases from the UK and the Netherlands, though, the courts are silent about the reviewability of the foreign acts. They provided guidance to the administrative authorities on how to treat Eurodac matches and circumscribed the degree of technology-based interstate trust, by noting the need for further evidence to corroborate a match and requiring the delivery of prompt administration. However, the gap in judicial protection remains, with the only available remedy being prescribed in Article 37 of the recast Eurodac Regulation—which foresees a compensatory remedy, on the basis of which Member States are liable for damages caused as a result of an unlawful processing operation or any act incompatible with the regulation.
These findings, in connection with Eurodac, are not an isolated phenomenon. Brouwer,Footnote 127 Tidghi,Footnote 128 and EliantonioFootnote 129 have highlighted the limited reviewability of information provision measures in the framework of SIS, which registers inter alia alerts on unwelcome third-country nationals in accordance with Regulation 2018/1861.Footnote 130 As in Eurodac, the alleged unlawfulness of an SIS alert resulting in the annulment of the national decision of refusal of entry or stay on national territory has been scarcely reviewed, with the decision in Forabosco by the French Court of State being pivotal in this context.Footnote 131 However, there is no legal certainty that national courts will directly review possible irregularities of records in EU information systems. Further research on the reviewability of foreign acts is needed in that regard.
One final remark is due here. Although no judgment employs data protection principles per se, the judgments hint towards the importance of the data protection law principle of data quality, which—according to the GDPR—requires the data to be accurate, relevant, and up-to-date.Footnote 132 Beyond its data protection origins, the quality of data is linked to the “duty of care” owed by national administrations. In light of the rule of law, safeguarding the administration’s ability to rely on accurate data to make decisions that produce legal effects is crucial for the legitimacy of administrative output.Footnote 133 Therefore, an in-depth assessment of the information by the administration is necessary.Footnote 134 Thus, the case analyzed just above illustrates that interstate trust may clash and prevail over the requirements of the “duty of care,” with significant fundamental rights implications. In such cases, enabling the individual to provide counter-evidence and facilitating further investigation—in particular, by providing the applicant with the necessary financial means for further investigation—should be brought within the remit of the “duty of care.” Finally, the possibility of asylum seekers to exploit such procedures, so as to overturn transfer decisions and delay the Dublin procedure, cannot be overruled. However, a way forward could be through the use of national procedural rules—for example, as regards the payment of judicial costs.
2. Breaches of the Eurodac Procedure at the National Level
The procedural rules of Eurodac have also been contested before French courts. In certain cases, the applicants sought annulment of their transfer under Dublin rules due to the failure of the French administration to provide applicants with relevant information at the time of fingerprinting, in accordance with Article 29 of the recast Eurodac Regulation and Article 4 of the Dublin III Regulation. On May 10, 2017, the Council of State highlighted that the right is important for the protection of the applicant’s personal data in the exercise of the rights of rectification or erasure. However, that is the sole purpose of those rights and such irregularities cannot result in a transfer decision being annulled.Footnote 135 Furthermore, according to the Administrative Tribunal of Nantes—in its decision of May 22, 2014—that result could only be achieved when a breach of the right to information was coupled with concerns as to the deteriorated reception conditions in Italy, as a result of the increase of arrivals. In fact, the Italian authorities had not responded to the transfer request.Footnote 136 Though these cases do not unearth challenges raised by the multilevel operationalization of Eurodac as a horizontal composite procedure, they nonetheless illustrate that there are significant loopholes in the protection of individual rights of asylum seekers and their recourse to effective remedies—not only at an extrajudicial level, as stressed earlier, but also at a judicial level. A way forward could be the assignment of specific consequences in cases of breaches of individual rights at a national level, in a future recast of the Eurodac rules.
Finally, the Administrative Court of Appeal of Lyon was confronted with the case of an Afghan national who submitted an asylum claim in France, but whose fingerprints were recorded in Slovakia, Sweden, and Italy in previous years.Footnote 137 As a result, he was issued with a transfer order to Italy, which he contested—not because he questioned the reliability of the matches but due to an infringement of Article 25(4) of the recast Eurodac Regulation regarding the verification of the match by a fingerprint expert. The Court took the view that because the reliability of the information resulting from the comparison is not seriously criticized, that procedural guarantee—even if breached—was not serious enough to invalidate the transfer order. The latter case may be interpreted as the French court showing deference to the Eurodac record, as inserted by the Italian authorities, in an implicit leap of faith in relation to the system and its reliability.
The cases above demonstrate a striking contrast between disputing the Eurodac record and following the procedures. In essence, a violation of the right to information—pursuant to the Eurodac Regulation—may only influence the exercise of individual rights and has no bearing in the Dublin process, thus breaking the inextricable link between Eurodac and Dublin. As for the verification of fingerprints, the judgment reveals that in practice, a violation of Eurodac rules will not affect the transfer process. This interpretation of Article 25(4) is not supported by the text and is contra legem. According to Article 25(4), the match must be “immediately checked in the receiving Member State by a fingerprint expert as defined in accordance with its national rules, specifically trained in the types of fingerprint comparisons.” Consequently, there is no room for maneuver for national authorities to avoid such verification. Considering the rarity of these cases before courts, this approach of tolerance towards the irregularities by national authorities may increase their appetite to circumvent the verification stage en masse, effectively neutralizing the guarantees embedded in the recast Eurodac Regulation.
D. Information Sharing Under the Dublin III Regulation
As mentioned in the introduction—in addition to the Eurodac rules—the Dublin system itself lays down provisions regulating horizontal transnational cooperation among administrations, without the involvement of EU institutions, agencies, or bodies. These rules involve information sharing, both before and after establishing the responsibility of the Member State. In the sections below, these rules are explored, starting with those regulating information exchange with a view to carrying out a transfer.
I. Pre-Dublin Transfer
Article 31(1) of the Dublin III Regulation foresees the possibility for the exchange of “personal data which is appropriate, relevant and non-excessive” to ensure that the competent authorities can provide the person with adequate assistance. Furthermore, Article 32 details rules specifically concerning the sharing of health data requiring the transferring Member State to transmit information on any special needs, which may include information on that person’s physical or mental health. Use of health data must only take place between health professionals who receive the health certificates, and the explicit consent of the applicant and/or their representative is necessary.
These provisions were inserted in the latest incarnation of the Dublin Regulation, and the explanatory memorandum shows their clear rationale, namely “ensuring continuity in the protection offered to applicants under the Dublin procedure subject to transfer decisions.”Footnote 138 As a result, these rules are aimed at increasing the level of fundamental rights protection afforded to asylum seekers. Therefore, their enforceability before national courts as rules aimed at raising the protection of fundamental rights of Dublin transferees cannot be disputed. As in the case of biometric identifiers, health data also constitutes a special category of personal data. Under Article 9(1) of the GDPR, high standards of protection are therefore required. Consequently, the fact that health data may have been accessible to staff members other than health professionals—including the police, thus in violation of the purpose limitation principle of data protection lawFootnote 139—could be subject to litigation before national courts.Footnote 140 The same applies in cases where health data is transmitted without the consent of the individual.Footnote 141
II. Preliminary Checks Before Establishing Member State Responsibility
Article 34 provides an information exchange mechanism with a view to making a preliminary check as to whether there is a criterion that is likely to determine another State’s responsibility for examining an application for international protection.Footnote 142 Such requests are submitted through DubliNet, using Annex V of Commission Implementing Regulation 118/2014. This is a useful option in cases where there is only limited circumstantial evidence that another Dublin State is responsible for examining a claim.
Article 34 contains detailed safeguards on the categories of data requested and shared, the authorities involved, and the individual rights of the applicant. In particular, every Member State must communicate to any Member State personal data—to the extent that is appropriate, relevant, and non-excessive—for determining the Member State responsible, examining the application for international protection, and implementing any obligation under the Dublin system.Footnote 143 There is an exhaustive list of categories of data to be shared, including personal details of the applicant, identity and travel papers, and Eurodac fingerprints.Footnote 144 The applicant must give their consent in writing to the exchange of this information. There is leeway to the requested State to refuse to respond if the communication of such information is likely to harm its essential interests, or the protection of the liberties and fundamental rights of the person concerned or others.Footnote 145 Any request for information shall only be sent in the context of an individual application for international protection. Yet, according to Article 34, requests must not be sent without some indication of the basis upon which potential responsibility might be determined. This is to prevent Member States from making an excessive number of purely speculative, blanket requests to each other.Footnote 146 As a result, Article 34(4) foresees that the request must detail the “grounds on which it is based” and, where its purpose is to conduct a preliminary check for potential responsibility of the requested Member State, evidence or reference to a specific part of the applicant’s statements must be communicated.
Any exchange of information may take place between authorities designated by the Member StatesFootnote 147 and specific authorities and courts within the receiving Member State.Footnote 148 In addition, the forwarded information must be accurate and up-to-date.Footnote 149 As in the case of Eurodac, the applicant has the right to be informed upon request of any data concerning themFootnote 150 and to seek their correction or deletion.Footnote 151 In terms of remedies, the applicant is entitled to bring an action or a complaint before the competent authorities, or courts or tribunals of the Member State which refused the rights of access, correction, or erasure. Finally, the retention period of the transmitted data is determined under national law and must be for so long as it is necessary for the purposes for which they are exchanged.Footnote 152
A first issue emerging from the operationalization of Article 34 concerns the extent to which interstate trust in the procedures and information provided by another Member State extends beyond the prescriptions of the recast Eurodac Regulation to encompass information on the applicant. This information is collected and stored at the domestic level and under national legislation. An insight into the extension of trust beyond the Eurodac requirements may be found in a Dutch case involving an Eritrean asylum seeker who, though a minor, was registered as an adult by the Italian authorities. When she applied for international protection in the Netherlands, she informed the immigration authorities (IND) that she was in fact fifteen. The IND, however, refused to treat her as a minor—relying upon the data submitted by the Italian counterparts on the basis of the principle of interstate trust. As a result, the minor did not receive appropriate protection, even though she corroborated her statement about her age with documents, and her appearance and behavior made clear she was a minor at the time. In its decision of April 4, 2019,Footnote 153 the Dutch Council of State affirmed the importance of interstate trust, holding that the State Secretary had—in principle—rightly assumed that the registration of the applicant as an adult had been carried out carefully, so that it was up to the foreign national to demonstrate that the date of birth registered in Italy was incorrect.Footnote 154 In the Court’s view, the applicant had failed to do so; a baptism document that was submitted was not accepted, as it was not an identifying document issued by the Eritrean authorities. Furthermore, as a copy of a school card did not include her place of birth, that was also considered insufficient.Footnote 155 Therefore, the Court found that it was correct not to doubt the date of birth registered in Italy and thus to not offer an age test. This is despite the fact that the incorrect registration of a minor’s age is a common occurrence—particularly in periods of chaos, when large numbers of asylum seekers arrive, but sometimes also due to miscommunication or a lack of information provided to minor asylum seekers.Footnote 156 The Court accepted the possibility that the registration by the Italian authorities could be unlawful but placed the burden of proof on the applicant, without properly taking into account the surrounding circumstances, such as the possible minority of the applicant or the country involved in the process. Read in conjunction with the Dutch judgments discussed in Subsection C(IV), it can be argued that in order to safeguard the right to an effective remedy, the Council of State could have mandated the minor’s age to be further investigated by the IND—for example, through specific medical checks by experts.Footnote 157 Otherwise, in the interest of automaticity and trust in information provided by other Member States, the risk of undermining the legal position of asylum seekers is particularly high. The case is thus illustrative of the uneasy relationship between the protection of fundamental rights, including the right to an effective remedy, and interstate trust. It may be argued that this tension is, to some extent, inevitable, as it cannot be expected of the national court to assume jurisdiction and review the lawfulness of the fingerprinting registration in Italy. However, approaching the registration by the Italian authorities with some caution and, in turn, treating the asylum applicant without suspicion of attempting to defraud the authorities could have resulted in a different outcome. There is, of course, the danger that a different approach could allow asylum applicants to exploit the possibility of contesting the fingerprinting process in the receiving country, by claiming irregularities, in an effort to prolong the coming into effect of the transfer decision.
The second issue revolves around the justiciability of the rules enshrined in Article 34, as described above. Some background information is needed here. First, the origins of Article 34 are traced back to Article 15 of the Dublin Convention. Second, Recital 19 and Article 27 of the Dublin III Regulation provide for the right to an effective remedy in respect of decisions regarding transfers “in the form of an appeal or a review, in fact and in law.” Third, the article is located under Chapter VII, headed “Administrative cooperation,” and in a different chapter of the Dublin III Regulation than Articles 31 and 32, which can be found in Chapter V. The question that emerges is the following: Are the rules of Article 34 merely of an administrative nature, or can they be used by individuals to invoke enforceable rights? In other words, is Article 34 within the scope of Article 27, on the right to an effective remedy? This question was ultimately answered in the negative, in BS and RS v. Refugee Appeals Tribunal and Ors,Footnote 158 a case concerning two Albanian nationals who lodged an asylum application in Ireland. Due to doubts concerning the circumstances under which they had arrived in the country, the Office of the Refugee Applications Commissioner (ORAC) submitted a request for information to the UK under Article 34 to determine whether that state was responsible for determining their applications in accordance with the Dublin criteria. Due to geographical proximity, it has been found that three-quarters of asylum seekers arrive in Ireland through the UK. That was the case here as well. The UK confirmed that the applicants had been registered with the UK authorities, as they had applied under different names for a visa in Warsaw—information that contradicted the applicants’ statements.Footnote 159 Thus, in accordance with the Dublin criteria, the UK was responsible for examining their applications, as the country that had issued a valid visa.Footnote 160 The problem was that ORAC had failed to provide details of the grounds on which the request was made, as required by Article 34(4). Instead, ORAC transmitted the fingerprints of each applicant to the UK authorities as the indicative evidence. Thus, the applicants claimed that on the basis of the “fruits of the poisoned tree” principle, the information was unlawfully obtained, could not be relied upon, and the transfer orders were unlawful. The Refugee Appeal Tribunal upheld the finding by ORAC that the UK was the responsible Member State, and the applicants sought judicial review.
First, the High Court found that a breach of Article 34 does not give rise to a right to challenge a transfer decision made on the basis of information which may have been retrieved in violation of Article 34.Footnote 161 As the title of the article indicates, the rules concern administrative cooperation among Member States.Footnote 162 As a result, Article 27 of the Dublin III Regulation—entitling asylum seekers to a right to an effective remedy, in the form of an appeal or a review in fact and in law against a transfer decision—is not applicable. In support of this view, it was submitted that in her opinions in the cases of Ghezelbash Footnote 163 and Karim,Footnote 164 Advocate General Sharpston found that only Articles 7–15 of the Dublin III Regulation—envisaging the hierarchical criteria—could be subject to review and should be included within the remit of a right to an effective remedy.Footnote 165 That approach has been endorsed by the CJEU.Footnote 166 In Humphreys J’s view, the fact that those articles were specifically singled out is a strong suggestion that “other articles of the Regulation are not properly matters for review at the suit of an individual aggrieved applicant.”Footnote 167 Ghezelbash acknowledges a right to an effective remedy in respect of any transfer decision,Footnote 168 but not a right of action on the part of an asylum seeker in relation to all aspects of the Dublin III Regulation.Footnote 169 Crucially, due to the systematic inclusion of Article 34, the trial judge concluded that a breach of Article 34—by failing to state the grounds of a request—is not an infringement of the rights of the applicant and could merely qualify as an “inconvenience” to the requested Member State, which is not given a more full and complete statement of the reasons why it is sought.Footnote 170
On appeal, it was submitted that Article 27(1) does not specify what components of the decision-making process leading up to the transfer decision may be the subject of an appeal or review.Footnote 171 Indeed, Advocate General Sharpston favored a broad interpretation of Article 27(1) that conferred a “wider right of appeal or review, ensuring judicial oversight of the competent authorities’ application of the relevant law (including the Chapter III criteria) to the facts presented to them.”Footnote 172 Thus, there was no barrier in expanding the protection net of the right to an effective remedy beyond Chapter III. Peart J rejected these statements, though he recognized that the Dublin III Regulation contains a variety of procedural and substantive safeguards designed to protect the rights of those seeking international protection. He found that Article 34 “confers no right or entitlement.”Footnote 173 As a result, it cannot be accepted that the applicants perform a “trick of the loop” to evade transfer when the application of the hierarchical criteria is correct.Footnote 174 It is noteworthy that there was a dissenting judgment from Hogan J, who could not “ignore the fact that a good deal of Article 34 appears to be designed to protect the data protection rights of applicants for international asylum.”Footnote 175 As a result, he took the view that a preliminary reference was necessary, as the question of whether Article 34 gave rise to individually enforceable rights remained open.Footnote 176
The Irish Supreme Court unanimously upheld the Refugee Appeal Tribunal decision and found that there were no issues concerning the applicability of Article 34, which required referral to the CJEU.Footnote 177 The Court opined that, according to Article 34(2), fingerprints are listed among the information that may be sought by the requested country. The fact that the UK did not ask Ireland for fingerprints did not mean they could not be provided and, as a result, no breach of Article 34 took place.Footnote 178
In light of the above, applicants whose data may have been transferred in breach of Article 34 are not effectively protected, due to the defected systematic categorization within the Dublin III Regulation. As a result, any exchange of items beyond the list of Article 34(2), particularly in cases where they are found responsible for the examination of the application and where they request information about the grounds of the application for international application, is not protected.Footnote 179 Similarly, in cases where the applicants are not informed about the transfer of their data—in breach of Article 34(9)—there is no requirement by EU legislation for a remedy, and protection is thus dependent upon the prescriptions of national law, if any. Indeed, the Dublin Evaluation report suggests that in cases of breaches in data protection, the applicants may have recourse to remedies if and in accordance with national legislation—which can take the form of appeals to challenge decisions,Footnote 180 or complaints sent to the national authority dealing with data protection or other similar competent authorities.Footnote 181 It is thus regrettable that the Irish courts did not consider it appropriate to submit a reference for a preliminary ruling to the CJEU for an interpretation of Article 34. The interpretation by the Irish Supreme Court may render Article 34 devoid of its protection function. In essence, the systemic approach took precedence over the interpretation of the substance, thus depriving Article 34 of its effectiveness. Arguably, this interpretation may have been preferred so as to prevent potential abuses of the right to effective remedies on behalf of asylum seekers who may take advantage of the intricacies of horizontal administrative cooperation, so as to delay the Dublin process. Indeed, such abuses cannot be fully ruled out. That said, this case illustrates that the purpose of Article 34 remains unclear. It is hereby argued that Article 34 should be interpreted as providing certain requirements to Member States when sending requests for further information to other Dublin states, the disregard of which should carry specific consequences. Otherwise, national authorities may submit such requests based on hunches and statistics. They may even send blanket requests to other countries, seeking further information about applicants in the hope that another Member State may be responsible for examining an asylum claim and, thus, try to “wash off” their responsibilities. The Commission proposal for a revised allocation mechanism replicates the rules on information sharing, which continue to be included under the same title.Footnote 182 Thus, it is not impossible that similar challenges may arise in the future. The momentum for legislative reform to address this issue could not be more ideal. One option could be the inclusion of a provision in the legislation explicitly declaring the justiciability of the prescriptions of Article 34 and prescribing specific consequences when domestic authorities fail to abide by those rules.
E. Concluding Remarks
This Article aimed at exploring the effectiveness of judicial and extrajudicial avenues for asylum seekers to seek remedies in connection with information cooperation by Dublin states. It was demonstrated that the determination of the responsible Member State may require one or more intertwined sub-procedures that are functional to the adoption of a final decision, which involves intensive information sharing. First, this Article focused on the operation of an advanced form of information sharing through an EU-wide centralized information system, namely Eurodac, which constitutes a composite administrative procedure. Galetta has rightly observed that the design of composite procedures at the EU level is geared predominantly towards achieving efficiency and optimal use of resources, but their multijurisdictional nature may diminish the protection of individual rights and possibilities of effective judicial review.Footnote 183 Though, on paper, the recast Eurodac Regulation contains detailed rules on administrative remedies, individual rights, and external supervision, practice shows that extrajudicial remedies are rarely used and the lack of recourse to national DPAs seems to be inextricably linked to the low interest in the exercise of individual rights. Furthermore, trust in national administrations seems to be shared by national courts too, whose hands seem to be tied due to the limits in assuming jurisdiction and reviewing the alleged unlawfulness of administrative acts—the insertion of a Eurodac record in the system—by foreign authorities. As a result, one could argue that national courts may have no other option but to show trust in the administrative practices of other Member States and instead impose limits in the practices of their own administrations. The gap in judicial protection for asylum seekers is evident, as in only one case has the national court directly reviewed the irregular registration in Eurodac and thus annulled the transfer decision. Besides, the case law demonstrated that no court referred the applicant to the national courts of the country that had initially registered the applicant as an asylum seeker. Therefore, on the basis of the case law analyzed in this Article, though interstate trust cannot be described as blind, it surely may be short-sighted sometimes. Such trust is expanded beyond the requirements of Eurodac to encompass the collection of information at the national level. Furthermore, the cases discussed in Section D show that although the Dublin system is concerned with the protection of fundamental rights of asylum applicants—at least to some extent—national courts are unwilling to extend the protective net to Article 34. The contrast between the rationales of Article 31 and Article 34 is striking. As a result, the existing remedies appear to be insufficient to meet the needs of asylum seekers. This Article calls for a more thorough investigation of individual cases—both by national administrations and courts—which will ultimately result in better administrative decisions, without the “ankylosis” that may accompany interstate trust and the limitations of judicial review of administrative decisions coming from outside the jurisdiction of the domestic court.
A few final thoughts are due here. The forthcoming interoperability of EU information systems,Footnote 184 including Eurodac—namely, the ability to exchange data and to share information so that authorities and competent officials have the information they need, when and where they need it—is bound to further complicate informational cooperation among national authorities. The input of a significantly larger array of national and EU authorities—for example, Europol or the European Border and Coast Guard (EBCG)—will influence decisions on asylum seekers. As a result, it is expected that the exercise of individual rights, and thus recourse to remedies, will be heavily affected.Footnote 185 In this dystopian scenario, recourse to vertical cooperation seems a sensible solution and eu-LISA, as the agency responsible for the operational management of information systems, may play a significant role in that respect. One way forward could be the setting up of an EU complaints mechanism, based on the EBCG modelFootnote 186 and with the involvement of the EDPS, where individuals affected by information sharing could seek administrative review. Admittedly, this mechanism may not be effective either. One thing is for sure, however, in an era of the omnipresence of information: Questions about how to reconcile effective administrative cooperation and the protection of fundamental rights are bound to preoccupy us.