Case Study 7.2: Eurodac, Dublin, and the Biometric Governance of Asylum

Case Study 7.2: Eurodac, Dublin, and the Biometric Governance of Asylum

Overview

Between 2015 and 2016, approximately 1.3 million people applied for asylum in European Union member states — a number that strained the EU's legal framework for managing asylum claims and exposed fundamental tensions in the biometric governance architecture that had been built over the preceding decade. This case study examines how the EU's biometric border management systems — Eurodac in particular — shaped, constrained, and sometimes failed the individuals they processed during what became known as the "European refugee crisis." It situates the technical architecture within the broader questions the chapter raises about consent, classification, and the asymmetric power of surveillance at borders.

The Legal Framework: Dublin and Its Biometric Enforcement

The Dublin Regulation (currently Dublin III, implemented 2013) establishes which EU member state is responsible for examining an asylum application. The general rule is that the first member state a person enters is responsible — unless they have family members in another member state, among other exceptions. The rule was designed to prevent "asylum shopping" — moving between countries to find the most favorable system — and to establish a clear allocation of responsibility.

The biometric enforcement of Dublin is Eurodac. When someone applies for asylum in an EU country, their fingerprints are taken and checked against the Eurodac database. If the person's fingerprints are already in the database from a previous application in another country, the current country can initiate a "take-back request" — requiring the first country to accept return of the person.

In principle, Dublin + Eurodac create a clean enforcement system: the biometric record establishes where a person first entered and applied; the legal rule assigns responsibility; the biometric comparison enables enforcement. In practice, the system has significant dysfunctions that the 2015–16 crisis made visible.

The Geographic Asymmetry Problem

The Dublin system's "first country of entry" rule creates a structural problem: EU member states at the Mediterranean and eastern borders — Italy, Greece, Bulgaria, Hungary — receive disproportionately large numbers of asylum seekers because they are geographic entry points. The biometric system faithfully records this geography: fingerprints taken in Greece mark the person as Greece's responsibility.

But Greece, during the 2015–16 crisis, was already in severe economic difficulty and had an asylum processing system that had been found by the European Court of Human Rights (in the M.S.S. v. Belgium and Greece decision, 2011) to violate the right to liberty and protection against inhuman or degrading treatment due to the conditions in which asylum seekers were held.

Belgium and other northern European countries could not lawfully transfer people back to Greece under Dublin because doing so would violate human rights obligations — the ECHR had said so. But the Dublin rule and Eurodac continued to assign formal responsibility to Greece. The biometric system recorded a legal responsibility that could not, in practice, be enforced without violating human rights law.

This created a situation in which Eurodac operated as designed — faithfully recording fingerprints and enabling "take-back requests" — while the underlying legal framework was functionally inoperative. The surveillance system was working; the governance system it was supposed to enforce had collapsed.

Fingerprinting and Resistance

As the 2015–16 crisis developed, reports emerged of asylum seekers deliberately damaging their fingertips to prevent Eurodac registration — using sandpaper, caustic substances, or cutting. The practice, though not widespread, was striking as a form of counter-surveillance: people strategically disabling the biometric identifier to avoid being recorded as having entered from a country they did not want to be assigned to.

The desire to avoid Eurodac registration was not primarily about evading persecution screening — the people attempting to avoid fingerprinting were, overwhelmingly, people genuinely seeking asylum, not people trying to hide criminal histories. The motivation was the Dublin rule: registration in Greece meant potential return to Greece, which meant potential indefinite detention in conditions found inhumane by the ECHR.

The act of damaging fingertips to evade biometric registration illustrates a fundamental point about surveillance systems: they create incentives for counter-action among those who are most severely constrained by them. Surveillance is not one-directional; the surveilled adapt.

Greek and Italian authorities, aware that many people entering were not registering with Eurodac, faced a dilemma: enforce registration (and face political backlash from people resisting) or tolerate gaps in the database (and face pressure from northern EU countries insisting on Dublin enforcement). In practice, enforcement was inconsistent and the database gaps were significant.

The 2013 Law Enforcement Expansion: Function Creep in Action

Eurodac was established in 2003 explicitly for immigration and asylum management. In 2013, the EU regulation governing Eurodac was amended to allow law enforcement agencies to access the database for the investigation of terrorist offenses and serious crime.

The 2013 expansion is a paradigm case of function creep — precisely as the chapter defines it. The database built for one purpose (asylum management) was repurposed for another (criminal investigation) through a legal amendment that received significantly less public attention than the original establishment of the system.

The expansion was justified through a security logic: if fingerprints from crime scenes can be matched against a database of suspects, why shouldn't that database include the extensive fingerprint records already collected from asylum seekers? The logic is not obviously wrong — Eurodac does contain fingerprints, and fingerprints can in principle solve crimes. But the expansion has consequences:

Stigmatization. When asylum seekers are told their fingerprints will be stored in a database accessible for criminal investigation, the implicit message is that they are presumed criminal — that their biometric data is more appropriately housed in a law enforcement system than in an immigration management system. This reflects and reinforces the conflation of migration and crime.

Deterrence. People who fear law enforcement systems in their countries of origin — including people who fled state violence — may be more reluctant to seek asylum through official channels if they know their biometric data will be accessible to law enforcement agencies.

Normalization of the architecture. Once law enforcement access to a biometric database is established as normal for one population (asylum seekers), the expansion of that access to other populations becomes a smaller logical step. The architecture normalizes the fusion of immigration and law enforcement surveillance.

The Dignity Dimension

Mandatory biometric collection from asylum seekers takes on a specific character given the circumstances of those being fingerprinted. Many people arriving at EU borders in 2015–16 had experienced violence, imprisonment, torture, or the death of family members. Some had been subjected to physical harm specifically through their bodies — including survivors of torture.

The requirement that these individuals submit to fingerprinting and iris scanning as a condition of having their asylum claim considered adds a specific dimension to the analysis of consent. The consent in this context is, as the chapter's recurring theme notes, a fiction — but a particularly charged fiction for people who have fled systems in which contact with state authority was itself a source of danger.

Several civil society organizations working with asylum seekers in Greece and Italy documented cases in which people who had been tortured by state authorities in their countries of origin were deeply distressed by the requirement to submit to biometric collection by European state authorities. The surveillance relationship carried associations that went beyond the technical purpose of the fingerprint.

The Data Retention Question

EU data protection law generally establishes principles of data minimization — data should be kept only as long as necessary for the purpose for which it was collected. Eurodac's original regulation retained fingerprints for ten years for asylum seekers and eighteen months for irregular border crossers.

In 2021, new Eurodac regulations extended the retention period to ten years for all categories and eliminated the age limit for fingerprinting (previously, fingerprints were not taken from people under 14; the new regulations lowered this to 6). The extension of retention and the lowering of the age limit for biometric collection from children represent expansions of the surveillance architecture that were implemented with limited public debate.

Fingerprints taken from a 6-year-old asylum seeker under the current regulations will be retained in the database until that child is 16. During those ten years, those fingerprints are accessible to law enforcement agencies across 30+ countries for investigation of serious crimes and terrorism. The child is in the database not because of anything they did, but because their parents sought asylum from persecution.

Discussion Questions

The Dublin Regulation allocates responsibility for asylum applications based on the first EU country entered — a geographic rule enforced through Eurodac's biometric records. In M.S.S. v. Belgium and Greece, the ECHR found that returning asylum seekers to Greece violated human rights obligations. This created a situation in which the biometric enforcement architecture faithfully recorded the legal obligation, but the legal obligation could not be enforced without violating other legal obligations. What does this episode tell us about the relationship between surveillance architecture and the legal frameworks it is designed to enforce? Can a surveillance system be "working" while the underlying governance system has failed?
The practice of asylum seekers damaging their fingertips to avoid Eurodac registration is a form of counter-surveillance — using bodily harm to prevent biometric identification. How should we understand this practice? Is it rational? Is it a form of political resistance? Does the fact that people are willing to harm themselves to avoid registration tell us anything about the design of the biometric system?
The 2013 expansion of Eurodac access to law enforcement agencies is a clear example of function creep. Assess this expansion using the following framework: (a) what was the stated justification? (b) what alternative mechanisms existed for achieving the same goal without expanding Eurodac access? (c) what are the documented or likely consequences of the expansion for asylum seekers' willingness to register? (d) what normalization effects has the expansion produced?
The 2021 regulations lowering the age limit for biometric collection in Eurodac to six years old were implemented with limited public debate. Evaluate the ethics of collecting biometric data from young children in the immigration context. Consider: the child cannot meaningfully consent; the parent's consent may not be fully voluntary given the circumstances; the data will be retained for ten years; and the data is accessible for criminal investigation. Is there a principled basis for treating children's biometric data differently? If so, what does that principle imply for the Eurodac regulations?
Jordan is asked in class to compare the U.S. travel ban (Case Study 7.1) to the EU's Dublin/Eurodac system (this case study) as two different approaches to border biometric governance. What are the most important similarities? What are the most important differences? Which system treats asylum seekers more fairly by Jordan's analysis — and on what criteria?
The chapter's recurring theme of "historical continuity" suggests that nothing in contemporary surveillance is truly new. Apply this principle to the Eurodac system. What historical precedents can you identify for the systematic biometric registration of displaced or migrant populations? What does this historical continuity tell us about the logic driving contemporary border surveillance architecture?

Case Study 7.2 | Chapter 7: Border Control and Biometric Databases | Part 2: State Surveillance