The Use of Mobile Data in the European Asylum System 

Guest post by D.G. Niruka Sanjeewani, PhD. D. G. Niruka Sanjeewani is a Senior Lecturer in International Relations and Strategic Studies at the Department of Strategic Studies, General Sir John Kotelawala Defence University, Sri Lanka. Her research focuses on migration studies, covering refugee regimes in South and Southeast Asia, the EU asylum system and law, unaccompanied minors, and labour migration.  

Introduction  

The growing reliance on mobile data extraction in asylum procedures has caused policy challenges across Europe. Mobile data extraction is the process of retrieving information about an individual’s personal characteristics and routine activities from mobile devices. This comprises data such as country codes linked to saved contacts, the language used in text messages, metadata embedded in photos, location history, email addresses, and social media login credentials. In the context of asylum, the retrieval of mobile data extraction is framed as part of a more restrictive asylum policy aimed at preventing irregular entries.  

Most importantly, states’ reliance on mobile data extraction reflects a broader trend of framing asylum seekers as ‘illegal migrants’, thereby undermining the principles of international protection. The collection, storage, and processing of asylum seekers’ mobile data exemplify growing concerns over the use of data-driven decision-making in contemporary asylum governance. Against this backdrop, mobile data extraction is conducted not only during initial screenings at border crossings but may also occur at subsequent stages of the asylum application process. This process raises substantial ethical and legal concerns, as asylum seekers are individuals fleeing their home countries due to a well-founded fear of persecution.  

In this post, I examine how mobile data extraction raises questions about its ethical justification, legal basis, and broader implications for human rights. It is further contended that the use of mobile data extraction to criminalize asylum seekers for their entries constitutes a violation of their right to protection. This is affirmed by the United Nations High Commissioner for Refugees, which asserts that asylum seekers should not be penalized for irregular entry. Despite this, states persist in enforcing restrictive measures against asylum seekers by utilizing data extracted from their mobile devices. Under such circumstances, the discussion underscores the urgent need for a rights-based and ethical framework for the use of mobile data in asylum governance. 

Legal Fallouts of Emerging Tendencies 

Mandatory extraction of mobile phone data from asylum seekers infringes on their privacy rights, as mobile devices contain intimate, detailed, and sensitive information that individuals may be unwilling to disclose to state authorities. This stands in contradiction to the right to respect for private life (Article 7) and the right to the protection of personal data (Article 8), as enshrined in the Charter of Fundamental Rights of the European Union. The disclosure of such information was reported in the United Kingdom, where the Home Office was found to have breached data protection laws in 2020 by seizing phones and coercing asylum seekers to reveal passwords. In relation to the UK, the Immigration Acts of 1971 and 2016. Schedule 2, Paragraph 25B of the 1971 Act allows searches only when there is a legitimate reason to believe that a person poses a threat or might attempt to escape custody, which is a condition not often met in every mobile data extraction. Notably, the High Court ruling ‘R (HM, MA, and KH) v Secretary of State for the Home Department’ in 2022 challenged the lawfulness of such extraction practices, ultimately declaring them unlawful. 

In such circumstances, extracting mobile data without first considering the submitted undermines the integrity of credibility assessments within asylum procedures. For example, German authorities have reportedly rejected non-biometric documents submitted by asylum seekers, such as a Tazkira and an Afghan-issued marriage certificate and proceeded to extract mobile data without first evaluating the submitted documentation. This practice contradicts Article 5(1)(c) of the General Data Protection Directive Regulation (GDPR), which requires data collection to be adequate, relevant, and limited to what is necessary. 

Perils 

There is also a significant risk associated with the false information and narratives that could be derived from mobile data. For example, the Federal Office for Migration and Refugees (BAMF) has conducted approximately 20,000 mobile phone searches of asylum seekers since 2017. It has been reported that such data extractions have yielded minimal instances of false information, thereby leading to doubt on the overall effectiveness of it.  With its cost of €11 million, it appears neither cost-effective nor proportionate in terms of intrusiveness. Also, a report by the GFF has indicated that 64% of cases yielded no usable results, 34% supported the applicants' origin and identity claims, and only 2% contradicted those claims. 

Under EU data protection regulations, including the GDPR, the lawful processing of personal data requires the informed consent of the data subject. However, in the context of asylum procedures, this principle is not always upheld. For instance, a report on Italy indicates that migrants often exchanged personal identity data for access to essential services without providing meaningful or informed consent, thereby undermining privacy rights and data protection standards during the identification process. Although refusal to cooperate with authorities cannot, in itself, serve as grounds for the rejection of an asylum claim, it may adversely affect the overall credibility assessment. As an example, in the Netherlands, the Immigration and Naturalisation Service (IND) may classify an application as manifestly unfounded if the applicant is found to have obstructed efforts to verify their identity. This aligns with the Aliens Act 2000, which mandates digital device checks for all adult asylum seekers.  

Conclusion  

The use of mobile data extraction to criminalize asylum seekers raises concerns about reinforcing harmful stereotypes and exposing legal protection gaps. It also reflects epistemic injustice by privileging digital data over personal testimonies. In light of these implications, the post calls for a rights-based framework that aligns data extraction practices with asylum seekers’ fundamental rights to privacy, informed consent, and data protection. Therefore, strengthening regulatory frameworks and conducting impact assessments are crucial to ensuring ethical, transparent, and accountable data practices. 

 
Any comments about this post? Get in touch with us! Send us an email, or find us on LinkedIn and BlueSky.