Delayed ETIAS Implementation: Balancing Security vs. Data Privacy

By Megan Bozzer

Introduction

The European Travel Information and Authorization System (ETIAS) was proposed in 2016 to strengthen security measures for travelers entering Schengen countries and other neighboring European regions [1]. This comprehensive system collects a range of personal details, encompassing demographic information and travel history. This necessitates a balance between the need for enhanced security and the protection of individual data privacy. This article will explore various aspects of ETIAS, including its operational framework, data privacy concerns, and a comparison with a similar system, the United States’ (U.S.) Electronic System for Travel Authorization (ESTA).

Background

In response to growing security concerns, ETIAS, proposed in 2016 and initially expected to take effect in 2022, is now set to be implemented in 2025 [2]. This system is designed to enhance security measures for travelers entering Schengen countries, those in the European Free Trade Association, and open-bordered European microstates. ETIAS is essentially a visa system, targeting individuals currently traveling visa-free to the European Union (EU) to identify security concerns before entry [3].

Any traveler from a non-EU country that is currently exempt from visa requirements for short-term stays in the EU will require ETIAS for entry, including current passport holders [4]. To achieve its security goals, the system collects various personal information, including name, birthdate, birthplace, sex, address, parents’ names (if known), education, employment details, EU destination, and information on past convictions or travel to conflict zones [5]. A valid passport and a seven Euro fee are also required to be approved [6]. The approval period for ETIAS ranges from minutes to thirty days, depending on the necessity for additional information or interviews [7]. In cases of refusal, an appeals process is in place [8]. Once granted, ETIAS approval is valid for three years of travel [9]. Further, information is retained for five years [10].

ETIAS provides an outline of its proposed framework and strategy for processing and managing information [11]. Upon submission, applications undergo cross-checks across multiple information systems [12] to evaluate “security, irregular migration or high epidemic risks” [13]. Applications raising concerns are directed to designated ETIAS Central and National Units for a final decision [14]. The Central Units, managed by Frontex, the European Border and Coast Guard Agency, are responsible for overseeing and storing system information [15]. The collaboration with various agencies and the restriction of access to authorized personnel underscore the meticulous operational framework through which ETIAS aims to ensure the security of its data and decision-making process [16].

Analysis

Data Privacy Concerns

The data privacy concerns are not hard to imagine. Questions like “How will my data be protected?”, “What happens if my data gets lost or into the wrong hands?”, “Who will my data be shared with?”, and more come quickly to mind. Luckily, data security is a priority for the EU, and Europe has some of the “toughest privacy and security laws in the world” [17]. It could be of comfort to think that if this new requirement is implemented, it has been thoroughly vetted. However, it is a lofty system with many moving parts, thus, skepticism is not unwarranted.  

Compliance with the EU’s data privacy laws and regulations is a necessary hurdle for ETIAS to move forward. This hurdle has been one of the major blocks in setting this project back from 2022 to 2025 [18]. To address concerns, the ETIAS regulations detail its procedures surrounding the processing of personal data, compensation if protection rules are broken, data sharing, data retention, and more [19]. These procedures are analyzed in accordance with the General Data Protection Regulation (GDPR), as well as European laws [20]. The GDPR ensures that this data is handled with the highest standards of privacy and security [21]. It establishes clear guidelines on obtaining informed consent, grants individuals rights over their data, and mandates stringent measures for data breach notification [22]. The GDPR’s emphasis on accountability, transparency, and individual control aligns with the goals of ETIAS in maintaining the balance between enhanced security measures and safeguarding the fundamental rights of individuals.  

Another major data concern and hurdle for ETIAS implementation is that of fundamental rights [23]. The system flags individuals based on certain traits, attempting to identify those ‘likely’ to commit an offense [24]. While this aims to bolster security, the manual review of flagged traits [25] raises potential issues related to fundamental rights, profiling, and discrimination [26]. To address this, ETIAS has established the Fundamental Rights Guidance Board (FRGB) [27]. Comprising members from various agencies, including a Fundamental Rights Officer of the European Border and Coast Guard Agency, a representative of the European Union Agency for Fundamental Rights, and a representative of the European Union Agency for Fundamental Rights, the FRGB serves to regularly advise, evaluate, and recommend on matters concerning privacy, data protection, and non-discrimination practices [28]. Despite this establishment, fundamental rights concerns have not fully been addressed and without an impact assessment or deep analysis, the project will likely continue to face challenges and remain at a stalemate. This Board plays an important role in ensuring that ETIAS effectively balances its commitment to enhance security measures and the protection of personal privacy rights. The complexity of implementing a system that must navigate the line between collective security and individual liberties is highlighted in these challenges related to individual’s fundamental rights.  

ESTA

ETIAS is noted to be similar to the system used in the U.S., the ESTA [29]. The ESTA was developed and introduced after the events of September 11, 2001 [30]. The ESTA is for considered “lower risk” countries [31]. It is a shorter form than a full visa and is good for up to ninety days [32]. The ESTA system uses a list of forty countries that are eligible for approval whereas the ETIAS lists sixty countries [33]. The application processes are very similar for both systems [34]. However, a notable difference is that the ESTA is known to be much harder to acquire [35]. ESTA flags ‘smaller’ issues, especially if one has any type of criminal record, whereas ETIAS is easier to acquire with a criminal record [36]. The goal of both of these systems is the same; to be able to strengthen their border control and keep track of international travelers [37].

There are no clear answers to why there is a perceived difference in the strictness between the two systems. Reasons to explain this difference could be attributed to the differing security experiences, politics, and history. ESTA was developed on the heels of 9/11, and post-9/11 securities measures are notoriously heightened surrounding the historic events [38]. However, ETIAS was also proposed in response to terrorist attacks in France and Belgium [39]. The U.S.’s national security and immigration policies also have a very strict political history. The EU might have different diverse political and legal frameworks. The Schengen Area specifically operates on the principle of free movement and open borders. The aim of ETIAS is to enhance collective security while maintaining travel. Overall, many subjective factors may influence the differing perceptions of these two systems.  

Conclusion

ETIAS is designed to advance border management and bolster security. Striking a delicate balance between this commitment and ensuring data privacy security is crucial. As we delve into the intricacies of ETIAS, the reasons behind its delayed implementation become evident, reflecting adherence to the stringent requirements of the European Union’s data privacy laws, especially the GDPR. ETIAS faces various challenges, including the task of upholding fundamental rights, a task addressed through regulations and the establishment of its FRGB. While the concept of such a system is not novel, exemplified by the existing ESTA system, it emphasizes the ongoing need to consistently balance collective security with the protection of individual rights, especially in the context of modern travel. 

[1] This includes counties such as: Austria, Belgium, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, and Switzerland, Starting in 2023 Travel to Europe Will Require an Extra Step, INTEREXCHANGE (May 20, 2021), https://www.interexchange.org/blog/us-residents/europe-travel-requiresextrastep#:~:text=ETIAS%20authorization%20will%20be%20needed,%E2%80%9CHome%20ETIAS%20Countries%E2%80%9D.

[2] It was initially meant to start in 2021, then every year until 2025. All you need to know about ETIAS, ETIAS.COM (2016), https://etias.com/what-is-etias/etias-key-facts.

[3] European Travel Information and Authorisation System (ETIAS), EUROPEAN COMMISSION, https://home-affairs.ec.europa.eu/policies/schengen-borders-and-visa/smart-borders/european-travel-information-authorisation-system_en.

[4] This includes countries such as the United States, United Kingdom, Canada, Mexico, Brazil, Japan, Ukraine, and more. ETIAS: Who should apply, EU, https://travel-europe.europa.eu/etias/who-should-apply_en.

[5] Ronan O’Connell, What is ETIAS? The European visa waiver system explained, NATIONAL GEOGRAPHIC, (October 26, 2023), https://www.nationalgeographic.com/travel/article/europe-visa-system-etias.

[6] Regulation (EU) 2018/1240, 2018 O.J. (L 236) 1

[7] Sofia Andrade, ETIAS applications for 2024 Europe travel open this year, THE WASHINGTON POST, (July 25, 2023), https://www.washingtonpost.com/travel/2023/07/25/etias-applications-2024-europe-travel/.

[8] Id. Reasons for refusal and directions on how to appeal will be found in the application refusal notification.

[9] All you need to know about ETIAS, ETIAS.COM (2016), https://etias.com/what-is-etias/etias-key-facts.

[10] The data can be kept for the length of the authorization, with consent for 3 years after authorization, or 5 years from ETIAS refusal, revocation, or annulment, Data protection: How ETIAS handles personal information, ETIAS, (January 1, 2023), https://www.etiasvisa.com/etias-news/etias-data-protection-personal-information.

[11]. Id.

[12] “An EU press release from 2016 identifies ‘the Visa Information System (VIS), Europol data, the Schengen Information System (SIS), Eurodac and the European Criminal Records Information System (ECRIS)’ as databases to be used in the ETIAS verification process” as well as checked against border entry documents upon arrival. Ellen Ioanes, ETIAS: The new travel program you need to know about before planning your next vacation, VOX, (July 30, 2023), https://www.vox.com/2023/7/30/23813137/etias-travel-program-vacation-us-eu.

[13] European Travel Information and Authorisation System (ETIAS), EUROPEAN COMMISSION, https://home-affairs.ec.europa.eu/policies/schengen-borders-and-visa/smart-borders/european-travel-information-authorisation-system_en.

[14] Those applications not automatically approved (3%) will be manually reviewed, ETIAS, FRONTEX, https://www.frontex.europa.eu/what-we-do/etias/about-etias/.

[15] Id.

[16] Frequently Asked Questions, ETIAS.COM, https://etias.com/etias-frequently-asked-questions.

[17] Referring to GDPR, What is GDPR?, GDPR.EU, https://gdpr.eu/what-is-gdpr/.

[18] ETIAS Implementation Likely Delayed to 2025, ETIAS.COM, https://etias.com/articles/etias-implementation-likely-delayed-to-2025.

[19] 19 Regulation (EU) 2018/1240, 2018 O.J. (L 236) 1

[20] ETIAS Data Protection: Personal Information, ETIAS VISA, https://www.etiasvisa.com/etias-news/etias-data-protection-personal-information.

[21] What is GDPR?, GDPR.EU, https://gdpr.eu/what-is-gdpr/.

[22] Id.

[23] The right to privacy as well as right to non-discriminatory practices, Study on the ETIAS Regulation, EUROPEAN PARLIAMENT, https://www.europarl.europa.eu/RegData/etudes/STUD/2017/583148/IPOL_STU(2017)583148_EN.pdf.

[24] Id.

[25] A concern noted surrounding the idea of manual decision making is “This appears to constitute human intervention. But it is really unclear to what extent such human intervention will be meaningful in practice. In ETIAS, the human is ‘looped in’ at the end of the decision-making chain, where their judgment is already mediated by the ‘risk score’”, Timo Zandstra and Evelien Brouwer, Digital Border, VERFASSUNGSBLOG, (June 24, 2022), https://verfassungsblog.de/digital-border/.

[26] Study on the ETIAS Regulation, EUROPEAN PARLIAMENT, https://www.europarl.europa.eu/RegData/etudes/STUD/2017/583148/IPOL_STU(2017)583148_EN.pdf.

[27] ETIAS Fundamental Rights Guidance Board, FRONTEX, https://www.frontex.europa.eu/what-we-do/etias/etias-fundamental-rights-guidance-board/.

[28] Id.

[29] ETIAS and ESTA: Similarities and Differences, ETIAS.INFO, https://www.etias.info/etias-esta-similarities-differences/.

[30] Electronic System for Travel Authorization (ESTA) Fee Adjustment, DEPARTMENT OF HOMELAND SECURITY, 87 Fed. Reg. 14,970 (Mar. 24, 2022), https://www.federalregister.gov/d/2022-06366.

[31] Travelers from many European countries are required to have a valid ESTA, Visa Waiver Program (VWP), U.S. DEPARTMENT OF STATE – BUREAU OF CONSULAR AFFAIRS, https://travel.state.gov/content/travel/en/us-visas/tourism-visit/visa-waiver-program.html.

[32] ETIAS and ESTA: Similarities and Differences, ETIAS.INFO, https://www.etias.info/etias-esta-similarities-differences/.

[33] Id.

[34] Id.

[35] Id.

[36] Id.

[37] Id.

[38] Enhancements to ESTA FAQs, U.S. CUSTOMS AND BORDER PROTECTION, https://www.cbp.gov/travel/international-visitors/esta/enhancements-to-esta-faqs.

[39] Frequently Asked Questions, ETIAS.COM, https://etias.com/etias-frequently-asked-questions.