Entry-Exit Biometric Controls Are Coming to Schengen; EU ‘Smart Borders’ Poised to Surpass U.S.

By Phillip Linderman on June 13, 2022

The Schengen Zone continues to inch forward in deploying the long-delayed European Travel Information and Authorization System (ETIAS) and its companion Entry-Exit System (EES). Perhaps most interesting for American observers is the rollout of EES, an ambitious biometric information collection program that will not only capture digitized fingerprints and facial images on all incoming foreign visitors, but also collect these data at departure at all Schengen air and seaports and even at external land-crossing points.

Both ETIAS and EES, when operational, will bring impressive new border security to the Schengen Zone, an area that consists of 26 countries, most of which are European Union (EU) member states. It will stand in sharp contrast to the U.S. system, which uses true biometric identity verification only at air and sea entry ports, relying primarily on airline passenger manifests for exit tracking, and which still lacks biometric identity verification at the land entry ports, where the largest number of travelers enter.

Although all EU countries are not Schengen members, and a few non-EU countries are included, the Schengen Zone is a border project of the European Union, with all key policy decisions being made in Brussels. EU officials have announced that EES will begin operations in September 2022, to be followed by ETIAS in May 2023, both programs having endured significant delays caused by Covid and technical problems. Brussels has put first priority on deploying EES in order to begin the collection of the foundational biometric entry and exit records needed to help ETIAS function effectively.

This analysis draws on what I learned from EU officials while serving as senior consular representative, 2018-21, in the U.S. Mission to the European Union.

ETIAS Is Similar to the American ESTA Program Managed by CBP

The EU currently permits visa-free travelers from more than 60 countries worldwide to enter the Schengen Zone. These foreign travelers, mainly international airline passengers, are currently not pre-screened (except by EU member-state “Passenger Information Units", discussed below) until they land at a Schengen port of entry and encounter local border authorities. ETIAS is closely modeled on the American ESTA system (Electronic System for Travel Authorization), managed by U.S. Customs and Border Protection and in operation since 2008. Used in conjunction with the Visa Waiver Program (VWP), ESTA is the main screening tool CBP uses to vet and pre-authorize visa-free travelers to enter the U.S., and CBP has generously shared its ESTA experience with EU officials building ETIAS.

ETIAS will require visa-free travelers to make an online application, ideally at least a week before their planned departure, requesting pre-authorization to enter the Schengen Zone. ETIAS officials will respond by email with an authorization or denial (and in the case of a commercial flight, before the traveler boards the aircraft). In applying, visa-free travelers will use the ETIAS app or website to provide brief personal biographic information, answering education, work, health, and travel destination questions. They will pay an application fee (currently projected to be €7 using a credit or debit card) and await the electronic response, which ETIAS officials expect the vast majority of applicants will receive within 96 hours (difficult applications can require up to four weeks to resolve).

ETIAS authorizations will be valid for three years, allowing multiple entries, and can be used for stays totaling no more than 90 days in any single six-month (180-day) period within the Schengen Zone. An authorization to enter through one Schengen country will be valid for travel across the entire zone. ETIAS is not required for citizens or legal residents of Schengen member states or for travelers entering on valid visas.

When fully operational, ETIAS will be mandatory, pre-screening millions of visa-free travelers entering Schengen airports and seaports. Although the focus is on air travel, eventually EU officials plan to require ETIAS for land travelers entering Schengen, at least those transported by international commercial carriers (e.g., tour buses, but not railroads or private cars).

American tourist and business travelers (some 25 million a year pre-Covid) will also need ETIAS pre-authorizations to travel into the region. EU officials will soon begin an information campaign to inform the U.S. traveling public about the program. It is expected that ETIAS will begin with a six-month trial period before becoming fully mandatory. The EU is now engaging international airlines on their looming obligations and new responsibilities under ETIAS. These include not only setting up technical connections but also explaining procedures for airlines to follow in keeping non-authorized travelers from boarding aircraft.

ETIAS Adjudication Process

The European Border and Guard Agency (commonly called “Frontex”) will operate an ETIAS Central Unit that will evaluate online applications in conjunction with ETIAS National Units, to be created by each Schengen member state. In applying, travelers will declare which member state they seek to enter first in the Schengen Zone, and the national unit of that country, conferring with central unit officials, has the final authority in granting or denying pre-authorizations.

Applicants will receive intense scrutiny if they turn up as a match on the ETIAS watchlist or if their online information triggers targeting algorithms set to ferret out security risks. Europol will prepare and maintain the ETIAS watchlist, and an ETIAS advisory board will determine risk factors that algorithms will apply to search online applications. These risks will include indicators that link to terrorism, criminal activity, public health issues, and previous overstay or visa violations. Presumably, the algorithms will also screen for illegally working or becoming a public charge. Experts predict up to 5 percent of all ETIAS applicants will fall into the categories of being refused or requiring a more thorough evaluation. Refused applicants will have an appeal process.

Collecting all this personal information, even on foreigners, is always controversial in Brussels, which has imposed strict regulations on safeguarding identity data gathered by EU member states. ETIAS rules will prohibit member states from sharing personal records on travelers with any non-EU/Schengen countries. However, any information ETIAS uncovers on suspected terrorists or serious criminals will presumably be shared internationally through law enforcement channels.

From my experience, I expect EU authorities will also restrict ETIAS authorities from accepting outside derogatory information on suspect individual travelers, even when offered by security partners such as the United States, unless that information reveals credible links to terrorism or serious crimes, worthy of law enforcement exchange. EU officials will require ETIAS authorities to make their own independent findings, based on Schengen and member state information, to justify any denial of a travel pre-authorization.

Before ETIAS, the EU Relied on API and PNR Screening

Since 2004, the EU has directed member states to require airlines to provide Advance Passenger Information (API) and — after the terrorist attacks of 2015-16 in Europe — Passenger Name Record (PNR) data to national border-security services to vet international air travelers. In 2016, Brussels mandated all member states create “Passenger Information Units” (PIUs) to ensure widespread and effective use of both API and PNR to scrutinize international airline passengers before takeoff.

With API and PNR, member-state PIUs have done significant pre-screening work on international travelers. Even after ETIAS is deployed, the PIUs will continue to carry out their mission of screening all airline passengers for links to terrorism or serious crimes (such as human trafficking). Germany, France, Belgium, and the Netherlands have organized, in particular, effective national PIUs (in some cases even screening intra-EU travelers), while other EU countries, such as Spain, have lagged behind.

Unlike ETIAS, the use of PNR runs into political and legal complications in Brussels, where the safeguarding of personal identity information, particularly of EU citizens, has become one of the Continent’s highest priorities. NGOs and human rights activists in Europe are now litigating against member states collecting PNR, and in particular retaining such data, as violations of EU fundamental rights.

Outspoken critics in the European Parliament are on the same warpath against PNR, arguing there is a meaningful legal difference when passengers buy an airplane ticket (the source of PNR) and when they make an application for a visa or ETIAS. The critics further challenge PNR’s effectiveness in the fight against terrorism and serious crimes.

In any event, EU member-state authorities have not generally used API and PNR as tools to detect lesser criminal activity or travel infractions such as visa abuse and overstays, a vulnerability that ETIAS will address. Unlike PNR, which is collected on all travelers, including EU citizens, ETIAS has full political support in Brussels, which recognizes that foreign visitors are asking for permission to enter Schengen, just as they do in making visa applications, with an understanding they must surrender personal identity data.

Entry-Exit System — The Hardest Nut to Crack

EU authorities believe the linchpin in making their smart-border system truly function is the systemic collection of biometric electronic records at all ports of entry/exit and making that information available and interoperable across all Schengen databases. By deploying enhanced technical capacity at all Schengen airports, seaports, and land-crossing points, EES will systematically record when all foreign travelers, whether on visas or ETIAS authorizations, enter and exit the external Schengen border.

The EES business model requires all foreign travelers, coming and departing, to self-enroll their personal and biometric information at computer kiosks deployed in large numbers at all Schengen ports of entry/exit and at land-crossing points. Schengen-country border authorities will remake their operational practice for managing travelers from interviewing, reviewing documents, and stamping passports to instead overseeing the EES auto-enrollment process, thereby facilitating and verifying data enrollment and moving problem cases and security issues that arise to secondary inspection.

Kiosk computers will capture each traveler’s passport biographic information, photograph (for facial recognition technology) and four digitized fingerprints. Upon data collection, the kiosk computer will automatically inform incoming travelers how long they are authorized to remain in the Schengen region.

Control points at air and seaports are, of course, much easier to manage than large land-border crossings (witness CBP’s experience on the Mexican frontier, where no exit data is collected on pedestrians or passengers in vehicles). Schengen authorities hope to build flexible, surge capacity at land-crossing points, installing large numbers of fixed kiosks and also equipping border guards with mobile kiosks and handheld devices. EU officials believe through the widespread use of handheld devices, such as computer tablets, border guards can quickly enroll travelers and ensure lines do not back up (e.g., by boarding buses and walking lines of vehicles to collect data on drivers and passengers).

Officials also plan to construct bi-directional “eGates” inside land facilities that can quickly screen pedestrians, using equipment that has already been rolled out at some modern airports in Europe. This technology is to be enhanced further through the use of a trusted-traveler program (called the “Registered Travelers Program” (RTP)) that will pre-vet reliable, frequent visitors.

Schengen and member-state border authorities are likely to require significant time to fully deploy and integrate EES entry/exit control capacity on all external land borders, where there are over 60 significant crossing points. EU officials have expressed their willingness to stay the course on this aspect of the strategy, which they believe is a critical component for detecting overstayers and visa abusers.

EES and ETIAS To Be Interoperable with All EU/Schengen Border-Security Databases

Deploying the best information technology that can harness the most advanced facial recognition and digital fingerprint capacity will be required for both EES and ETIAS to function smoothly. The EU’s technical agency managing this colossal enterprise is known as “EU-Lisa”. Provided over €850 million since 2017 and headquartered in Tallinn, Estonia, EU-Lisa is charged not only with engineering the computing and software architecture, but with helping to purchase and deploy the equipment and developing tech operating best practices for border officials in the field. In an era of increased concern in Europe about illegal immigration and border security, Brussels has placed considerable responsibility on EU-Lisa to prove that large-scale, smart-border technology is workable.

The mantra EU-Lisa officials use is “interoperability”, enabling not only ETIAS and EES databases to communicate with each other, but to render all of the EU’s vast biographic and biometric holdings usable in real time by Schengen and member-state border authorities. These databases include visa records, derogatory information files, and criminal databases (known as VIS, SIS-II, and ECRIS-TCN, respectively), as well as Eurodac, which is the EU database that keeps digitalized fingerprints of asylum seekers and irregular migrants.

EES and ETIAS could eventually set a new world standard in smart-border security systems, but since both systems have already encountered technical delays, further postponements would not be a surprise. If ultimately successful, which seems very likely, this achievement would be impressive, enabling the EU to surpass the interoperability of U.S. government border-security practices and databases.

When operational, the European system will put the EU nations far ahead of the United States in terms of traveler entry and exit tracking capability, even though the United States launched the first component of its incomplete system back in 2004. Originally known as U.S. Visit, this system collects biometrics from travelers at the air and sea ports of entry, authenticates the travelers’ identity, and runs a background check. However, even after numerous pilot programs, the United States still lacks a biometric exit recording system, relying instead on a biographic system (known as the Arrival and Departures System (ADIS)) adopted in 2009 that simply collects the names of passengers exiting by plane or sea for matching to entry records. Further, U.S. authorities do not use biometrics routinely at the land ports of entry, where the largest number of foreign visitors enter, to authenticate identity (other than inspecting photographs) or track visa compliance. After all these years, and successful programs put in place by Europe and Australia, it’s hard to argue that the technology is not available or that the system would choke off travel and trade.

The success of EES should also reopen discussions about why CBP does not systematically capture all exit data on travelers, as mandated by Congress, and why both the Departments of State and Homeland Security cannot match this same level of biometric data collection and interoperability for U.S. border protection. These are questions that deserve fresh attention from Washington’s border-security advocates.