EU strengthens the integration of security databases under Schengen law

Imagine a highly qualified specialist from a third country landing at Frankfurt Airport. He has been a key employee at a German technology company for years. But when his face is scanned at the automated gate, a warning light flashes. Within milliseconds, systems in Strasbourg, Berlin, and Brussels have compared data the traveler was hardly aware existed. What sounds like a scenario from a science fiction novel is the imminent reality of European migration administration. The era of discreet record-keeping in immigration offices is ending, giving way to comprehensive digital biometric surveillance that will cover every corner of the Schengen Area by 2030. As a law firm, we are observing this development with a mixture of technological appreciation and profound concerns about the rule of law, because the line between efficient administration and total surveillance is becoming increasingly blurred.

The interoperability roadmap: A digital network without loopholes

The recently published plans for the EU-LISA "Interoperability Roadmap" make it clear that we are facing a paradigm shift. It is no longer simply a matter of individual databases like the Schengen Information System (SIS II) or the Visa Information System (VIS) existing side by side. The goal is the complete integration of all security- and migration-related data sets under one roof. By 2030, the Eurodac system, the new Entry/Exit System (EES), and the ETIAS travel authorization system are to be merged into a central biometric matching service .

For the Federal Republic of Germany, this means specifically that starting in 2027, the INPOL photo archive of the Federal Criminal Police Office (BKA), which currently comprises around eight million images, will be fed into this European pool. This will make biometric data of asylum seekers, deportees, and also regular visa applicants accessible in real time to security authorities throughout the Schengen Area and potentially even to US authorities within the framework of expanded security partnerships. Biometric identity will become the universal key that decides on entry, residence, and deportation, often without the individual having the opportunity to directly verify the accuracy of the stored data.

The end of anonymity through EES and ETIAS

The border crossing process will be fundamentally transformed in the near future. With the launch of the Entry/Exit System (EES) in April, fingerprints and facial images will be taken from every traveler from third countries upon entry – regardless of whether they have a visa or not. This data will be stored for three years. Shortly thereafter, the ETIAS system for visa-exempt travelers will follow. In legal practice, this means a massive expansion of data collection in accordance with Regulation (EU) 2017/2226.

We warn against underestimating the impact on corporate mobility , as companies urgently need to adapt their employee secondment policies . Employees who frequently travel from third countries will face longer waiting times at external borders and must be transparently informed about the extensive data storage. Anyone who exceeds the permitted stay by even a few hours will be automatically flagged in the system via real-time alerts. Overstaying will thus be almost impossible to conceal and can lead directly to entry bans that apply throughout the Schengen Area.

Between the need for security and fundamental rights

As legal representatives, we view the planned use of facial recognition queries under the Prüm II framework with particular concern . This threatens a development in which especially vulnerable groups, such as asylum seekers, are involuntarily misused as a testing ground for large-scale surveillance technologies . If facial images are released in massive numbers for hit/no-hit queries, the fundamental right to informational self-determination is at stake.

The legal challenge here lies in proportionality. While the digitalization of migration administration could theoretically lead to faster procedures, in practice it risks becoming an instrument of blanket suspicion. Although we support the modernization of the authorities, we demand strict adherence to the principle of purpose limitation. Migration-related data must not be misused for general police investigations without sufficient suspicion of a crime, as this would constitute a clear violation of the principles of the GDPR and the Charter of Fundamental Rights of the European Union .

Conclusion: The need for proactive preparation

In summary, the complete digitization and networking of European migration databases by 2030 appears inevitable. For travelers, this means an end to ambiguity regarding lengths of stay; for companies, increased compliance responsibility; and for us as lawyers, a new era of legal protection in a world of algorithms. The protection of digital identity will become a central issue in visa law . It is advisable to critically examine existing processes now and prepare for a system that leaves no room for error.