Eurodac Unmasked: The Dangerous Blurring of Asylum and Security

Post by Valeria Ferraris and Eleonora Celoria. Valeria Ferraris holds an International PhD in Criminology and is an Associate Professor of Sociology of Law and Sociology of Deviance at the University of Turin, Italy. Her research focuses on migration management and control, administrative detention, and the role of courts in migration-related issues. Eleonora Celoria is a lawyer and holds a PhD in law. She collaborates as a research fellow with FIERI, a migration research institute based in Turin. Her research interests concern EU and Italian asylum, mobility and detention policies. This post is part of a thematic series on the EU Pact on Migration and Asylum, edited by Giuseppe Campesi and José Angel Brandariz. Read the introduction here.

Almost seven years ago, in 2017, I wrote on this blog that Eurodac - the European asylum database managed by EU-Lisa, the European Agency for the operational management of large-scale IT systems in the area of freedom, security, and justice - went beyond the original purpose of establishing which EU Member State is responsible, following the Dublin Convention, for the reception of asylum applications. I was writing shortly after the entry into force of the 2013 Regulation, which added the not well-defined ‘law enforcement purposes’, allowing Member States’ designated authorities and the European Police Office (Europol) to request the comparison of fingerprint data with those stored in the Eurodac Central System.

With the approval of Regulation (EU) 2024/1358, Eurodac has transformed into a database with a multitude of purposes and functions. It is no longer limited to its original role but has become multipurpose and multifunctional, expanding its scope significantly. 

In its expanding role, Eurodac aims to be the operational cornerstone of a system for managing migration and asylum characterized by overlapping international protection policies, the return of irregular migrants, and mobility control.

This confusion was already evident after the approval of the so-called interoperability regulations, which made Eurodac one of the six building blocks of a socio-technical device that connects previously separate and autonomous information systems, through a new integrated architecture for identity management. To sum up, interoperability facilitates a data mining operation on data stored in previously independent databases, thereby definitively obscuring the boundaries between border management and control procedures and security policies, severely compromising the fundamental rights of individuals.

What was once obscured in 2017 is now becoming evident: Eurodac has evolved from a purely bureaucratic tool that supported the implementation of the Dublin Convention into a hybrid instrument. This evolution has significant implications for the migrant population, as it now serves both management and investigative functions. It has become a key component of the new digital governance of borders, particularly in terms of mobility control, where the migrant on the move is always seen as a potential threat.

Today’s Eurodac

Eurodac  has experienced a significant increase in the data collected and traffic from 2003 to the present. Today, it is a widely used tool, employed by all EU Member States, as well as Switzerland, Norway, Liechtenstein, Iceland, and Europol. In 2023, 1.78 million fingerprints were transmitted to Eurodac for registration or comparison, bringing traffic levels back to those of 2015-2016, when, following the so-called refugee crisis, the system reached its peak (1.92 million in 2015 and 1.64 million in 2016). As of December 31, 2023, the central database holds approximately 7.5 million fingerprints, mostly from asylum seekers, highlighting its extensive usage and significance.

The system currently collects data on three categories of people over 14 years old: applicants for international protection; migrants apprehended for irregularly crossing an external border; and migrants found illegally staying in a EU Member State, to check whether they had previously lodged an asylum application in another one. The data of applicants is stored for 10 years, while the data of persons irregularly crossing the border is kept for 18 months and then erased. For the third category, data is not stored but only entered for comparison. National Data Protection Authorities supervise the data processing.

Future's Eurodac: A new system for tracking movements…

Eurodac's transformation is also reflected in whose and what type of data can be collected, which have changed significantly. The new regulation covers six groups of migrants who are at least six years old (a lower threshold compared to the 14 years set previously) and who enter the EU territory under various circumstances (disembarkation following a sea rescue, irregular entry, humanitarian admission), or who are found in irregular situations, for which States can "require the provision of biometric data".

Specifically, this concerns:

• a) applicants for international protection (→ as defined by the Asylum Procedure Regulation);
• b) persons involved in a national or European resettlement or humanitarian admission procedure;
• c) foreign nationals apprehended at the time of irregularly crossing an external border of the European Union;
• d) foreign nationals residing illegally in a Union State;
• e) foreign nationals rescued during search and rescue operations at sea;
• f) beneficiaries of temporary protection.

The new regulation allows for the 'tracking' of various events related to the same person, creating data sequences attributable to a single individual. The Regulation 2024/1358 clarifies that this new data collection and storage method has nothing to do with determining the State responsible for examining an asylum application. It states that "in order for Eurodac to effectively assist in the control of irregular immigration to the Union and in the detection of secondary movements within the Union", the system must be able to "count applicants as well as applications, by linking all datasets corresponding to one person, regardless of their category, in one sequence" (Recital 27).

This shift marks a significant evolution of Eurodac from a tool originally designed to support asylum procedures into a broader instrument of migration control, aiming to enhance the Union's capacity to manage, monitor and control the movements of non-EU nationals across its territory.

…and identification

The logic of control, which relies on tracking an individual's movements as a continuous sequence, has also influenced the nature of the data that can be recorded.

This includes all data that determine the complete identification of the person, particularly fingerprints and personal details (name, surname, date and place of birth, gender, nationality), as well as facial images and, where available, identity or travel documents. The Regulation justifies the registration of data from asylum seekers, individuals rescued at sea, and those crossing borders irregularly as necessary to "facilitate their identification and the issuance of new documents and [...] ensure their return and readmission, as well as to reduce the risk of identity fraud" (Recital 22).

This reinforces the trend of merging the figure of the asylum seeker with that of the irregular migrant. This tendency is also reflected in other legislative instruments of the new Pact, notably the Screening Regulation, which establishes a single control procedure upon entry, applicable equally to asylum seekers and irregular migrants.

Migration control and security checks

The new Screening Regulation requires States to conduct identification procedures, health and security checks, and vulnerability assessments for foreign nationals at the EU’s external borders, including asylum seekers and irregular migrants. Based on these assessments, individuals are then directed towards asylum, rejection, or return procedures. Security checks involve cross-referencing personal data with national and European databases related to immigration and crime prevention. If a match is found, the individual is immediately flagged as a potential security risk upon entry, marked with a security “flag” indicating a “threat to internal security.” These checks rely not only on Interpol and Europol databases but also on the six core systems of the EU’s interoperability framework, including Eurodac.

But what does it mean to be considered a "threat to internal security"? The Pact offers no clear definition. The Eurodac Regulation, however, outlines the specific situations in which a security flag should be recorded:

1. If the person is violent (exhibiting "behaviour that causes physical harm to others that would constitute a crime under national law").
2. If the person is unlawfully armed.
3. Where there are clear indications that the person is involved in a terrorist offence or one of the offences outlined in the European Arrest Warrant Framework Decision.

These categories are deliberately broad, allowing for a high degree of discretion. In practice, they reflect a shift from responding to concrete security threats to preemptively policing individuals based on perceived risk. This anticipatory logic, rooted in prevention rather than prosecution, conflates migration with criminality and places individuals under suspicion before actions occur.

Eurodac, initially designed as a tool for asylum management, has now evolved into a hybrid system at the crossroads of migration control and security enforcement. The increasing entanglement of migration governance with crime prevention mechanisms reflects a growing trend: security concerns are not just adjacent to migration policy but embedded within it. The collection and categorization of personal data are no longer neutral administrative tools—they are part of a broader strategy of surveillance and control, where the line between protection and suspicion is increasingly blurred.