Border state:
Romania and the EU’s digital migration architecture
Three recent European legislative instruments – the new Eurodac (EU) 2024/1358[1] , the Screening Regulation (EU) 2024/1356[2] , (both adopted in May 2024, applicable from June 2026) and the proposed Return Regulation (March 2025, currently under negotiation)[3] – form an integrated system of total digital surveillance of non-EU migrants: from biometric registration at the border, to the storage of data in interconnected databases accessible to law enforcement authorities, to the enforced execution of return decisions.
Eurodac collects fingerprints and facial images from children aged 6 and over, stores data for up to 10 years and makes it accessible to Europol and security agencies across the European Union, subjecting the GDPR’s purpose limitation principle to systemic pressure. The Screening Regulation imposes biometric checks exclusively on non-EU nationals, with a documented risk of ethnic and racial profiling. The proposed Return Regulation introduces the European Return Order recorded in SIS II, removes the suspensive effect of appeals and allows return to a third country with no connection to the data subject, including for families with children. The cumulative effect is the criminalisation of vulnerability. Bringing this framework into line with human rights standards requires, at the very least, making criminal access to biometric data subject to a judicial warrant, guaranteeing the suspensive effect of appeals against return decisions, eliminating return hubs, and establishing an effective right to rectification and erasure of data from European databases.
I. LEGAL CONTEXT
On 14 May 2024, the Council of the European Union adopted the Pact on Migration and Asylum, a legislative package comprising ten legislative instruments designed to profoundly reform the European system for managing migration flows. Among the ten legislative instruments are Eurodac and the Screening Regulation. The Pact, which will enter into force in full on 12 June 2026, represents the most ambitious reform of EU immigration and asylum policy in the last 20 years.
Almost a year later, in March 2025, the European Commission presented a new proposal for a Return Regulation, intended to replace the existing Return Directive[4] . In the context of the proposal for the new Regulation, it is highlighted that the current Return Directive faces a number of challenges that affect the efficiency and effectiveness of return procedures. These challenges include: “The lack of cooperation from third-country nationals, who may resist, abscond or otherwise obstruct return efforts, makes it difficult to enforce return decisions. Member States face difficulties in tracking third-country nationals throughout the various stages of return procedures, which slows down or hinders progress.”
On 8 December 2025, the Council of the EU finalised its position on EU legislation concerning the return of illegally staying third-country nationals, and is set to enter into negotiations with the European Parliament.[5] This position confirms the EU’s policy direction to build an integrated system for the management and return of non-EU migrants. The proposal on common rules for returns complements the pact and was presented by the European Commission in March 2025.
These three instruments (Eurodac, the Screening Regulation and the Return Regulation) together form an integrated digital control system covering the entire journey of non-EU migrants within the European area: from biometric identification at borders, to the storage of data in interconnected centralised databases, and up to the enforced execution of the return decision.
From a digital rights perspective, this architecture raises legitimate questions regarding its compatibility with the EU Charter of Fundamental Rights[6], with the GDPR (Regulation (EU) 2016/679)[7], with the European Convention on Human Rights, and with the general principles of non-discrimination.
II. EURODAC
Regulation (EU) 2024/1358 marks a transformation of the Eurodac database. Compared to the previous version, the new regulation provides for: (i) the collection of facial images as supplementary biometric data; (ii) the extension of the biometric registration requirement to children aged 6 and over (compared to 14 previously); (iii) the collection of extended alphanumeric data; (iv) the recording of a ‘security flag’ for persons who potentially pose a risk to internal security.
Extending the obligation to collect biometric data to children aged 6 and over is difficult to reconcile with Article 24 of the Charter of Fundamental Rights of the EU and Article 3 of the UN Convention on the Rights of the Child (CRC), which require that the best interests of the child be the primary consideration in any action concerning children.[8] The Regulation provides no analysis of necessity or proportionality to justify lowering the age threshold from 14 to 6 years.
Furthermore, Article 14(1) permits, ‘as a last resort’, the application of a ‘proportionate level of coercion’ towards minors to ensure the collection of biometric data. The procedural safeguards provided for, namely a trained official and an independent representative, cannot legitimise an interference that fails the proportionality test in substance.
According to Article 3(6), ‘All data records stored in Eurodac relating to the same third-country national or stateless person shall be linked into a single record.’
The system requires data to be stored for significant periods: 10 years for applicants for international protection, 5 years for third-country nationals or stateless persons apprehended in connection with the illegal crossing of an external border or who are in an irregular situation. The database is accessible to designated authorities in Member States responsible for the prevention, detection or investigation of terrorist offences or other serious crimes, the designated authority of Europol, the national ETIAS units[9] and the competent visa authorities.
The interoperability of migration systems with security systems is the most problematic aspect. Interoperability Regulations (EU) 2019/817 and 2019/818 establish a common framework for connecting six systems: the Entry/Exit System (EES), the Visa Information System (VIS), the European Travel Information and Authorisation System (ETIAS), Eurodac, the Schengen Information System (SIS) and the European Criminal Records Information System for third-country nationals (ECRIS-TCN).[10] The principle of purpose limitation (Article 5(1)(b) of the GDPR) is thus subject to systemic pressure: data collected in the context of international protection becomes accessible in the context of criminal investigations.
On the other hand, the Artificial Intelligence Act (Regulation (EU) 2024/1689) classifies artificial intelligence (AI) systems used in the context of migration, asylum and border control management as high-risk systems (Annex III, category 7).[11] However, Article 111 provides that large-scale IT systems already in operation (including Eurodac, SIS, VIS, ETIAS and ECRIS-TCN) must comply with this Regulation only by 31 December 2030, thus benefiting from a transition period of approximately four years. Classification as high risk without appropriate safeguards allows for the implementation of biometric identification systems at borders to deter and prevent the entry of migrants and applicants for international protection. These systems may facilitate and amplify racial profiling, using ethnicity or skin colour as indicators of a person’s migration status, without acknowledging the significant risks of discrimination that this entails. This compliance period creates a regime of algorithmic opacity for precisely those technologies with the greatest potential impact on migrants’ fundamental rights; a regime incompatible with the principle of accountability set out in Article 5(2) of the GDPR and with the right to an effective remedy and to a fair trial guaranteed by Article 47 of the Charter.
III. THE SCREENING REGULATION
Screening Regulation (EU) 2024/1356 establishes a generalised obligation of biometric and documentary checks applicable exclusively to third-country nationals crossing external borders without fulfilling the entry conditions. This distinction based on nationality constitutes, in itself, a form of differential treatment. Although the European Treaties permit restrictions on fundamental rights on grounds of public order and security[12] , the Court of Justice of the EU has consistently held that any restriction must be proportionate and must not affect the very essence of the right in question.[13]
The risk of ethnic and racial profiling is inherent in this system. Researchers warn that extending criminal authorities’ access to biometric data in Eurodac undermines the principle of purpose limitation and produces a ‘crimmigration’ effect, i.e. the intertwining of criminal control with migration control, effectively treating asylum seeker status as an indicator of criminal risk.[14] This approach is incompatible with the case law of the European Court of Human Rights in the case of S. and Marper v. the United Kingdom, in which the Court ruled that the storage of biometric data of persons not finally convicted for a period longer than is necessary for the purposes for which they are recorded constitutes a violation of Article 8 of the European Convention on Human Rights (ECHR).[15]
The monitoring mechanisms provided for in the Regulation are welcome in principle. Article 10 requires each Member State to establish an independent mechanism to monitor compliance with Union law and international law during screening, with the power to issue annual recommendations, to carry out on-site inspections and unannounced spot checks, and with the participation of national ombudsmen, national human rights institutions and OPCAT (Optional Protocol to the Convention against Torture) mechanisms. However, the effectiveness of this framework is structurally fragile. The 2024 report by the EU Agency for Fundamental Rights (FRA) on fundamental rights notes that, under current EU law, there is no explicit obligation for Member States to monitor fundamental rights at borders corresponding to Frontex’s monitoring obligation[16], and the European Commission merely encourages Member States to establish their own national mechanisms, offering them financial support.[17]
VI. THE RETURN REGULATION
The proposal for a Return Regulation, presented by the European Commission on 11 March 2025, represents the most recent and final link in the chain of surveillance under review. The document introduced by the Commission has been criticised by over 200 European and international organisations, including Human Rights Watch, Amnesty International, ECRE, PICUM and Access Now, for establishing a punitive and coercive regime incompatible with European human rights standards.[18]
The centrepiece of the proposal, from a digital perspective, is the introduction of the ‘European Return Order’ (ERO), a harmonised form containing information on the return decision and valid throughout the EU. The Regulation requires the ERO to be uploaded to the Schengen Information System (SIS II), making the migrant’s personal data accessible to thousands of police officers across all Member States.[19] The registration of the ERO in SIS II significantly expands the scope of access to migrants’ personal data, subjecting the principle of purpose limitation set out in Article 5(1)(b) of the GDPR to systemic pressure: data collected in an administrative migration procedure becomes accessible to law enforcement agencies across the EU. This amplifies the risk of profiling and secondary use already documented in relation to Eurodac and the interoperability of databases analysed in the previous sections.
SIS II is known for repeated data abuses, non-compliance with regulations by police and immigration authorities[20], for insufficient safeguards and for the systematic violation of citizens’ data protection rights.[21] The European Data Protection Supervisor considered that, given the proposal’s impact on the fundamental rights of data subjects, including the right to privacy and the protection of personal data, a thorough assessment of the Regulation’s impact on fundamental rights should be carried out in order to better identify and mitigate potential risks.[22]
Furthermore, the proposal provides for the possibility of returning a person to a third country with which they have no personal connection (Articles 4 and 17). Sending a person, against their will, to a country with which they have no connection cannot be considered reasonable, fair or sustainable. This measure, applicable to individuals, families and children (with limited exceptions), creates serious risks of arbitrary detention and indirect forced returns, as human rights organisations have warned.[23]
The proposal also introduces entry bans of up to 10 years (Article 10), erodes the right to defence by removing the automatic suspensive effect of challenging a return decision (Article 28) and imposes obligations to cooperate with the authorities (including the provision of biometric data – Article 21), with penalties that may include the confiscation of identity or travel documents, the withdrawal of work permits, the extension of an entry ban, or financial penalties (Art. 22).
Viewed in conjunction with Eurodac and the Screening Regulation, the Return Regulation completes an integrated system that tracks non-EU migrants from biometric registration at the border through to forced return, a process in which individual procedural safeguards are systematically eroded.
V. NATIONAL CONTEXT
The legislative instruments analysed in this article will have concrete effects on real people within the territory of Member States with specific institutional capacities and social contexts. Romania constitutes a relevant case study for two complementary reasons: on the one hand, its new position as an external border state of the Schengen area, which imposes direct obligations on it under the Screening and Eurodac Regulations; on the other hand, recent developments regarding the number and origin of migrants transiting through or remaining on its territory.
By the Decision of the Council of the European Union of 12 December 2024, internal land border controls with Romania were lifted as of 1 January 2025, with Romania thus becoming a full member of the Schengen area.[24] This change entails direct obligations under the Screening Regulation (EU) 2024/1356, whereby any third-country national crossing Romania’s external borders without fulfilling the entry conditions becomes subject to the biometric and documentary screening procedure, with mandatory registration in Eurodac.
The institutional capacity to implement these obligations whilst respecting the procedural safeguards provided for in the Regulation is, according to available data, limited. The number of case officers within the General Inspectorate for Immigration – Directorate for Asylum and Integration (IGI-DAI) has fallen from 39 in 2023 to 24 in 2024.[25] This reduction in staff comes at precisely the time when Romania will have to implement the Pact on Migration and Asylum, a legislative package that imposes new procedures, independent monitoring mechanisms and extended individual safeguards. Article 10 of the Screening Regulation requires each Member State to establish an independent mechanism for monitoring fundamental rights at the borders; such a mechanism requires human and financial resources that Romania does not possess to the necessary extent. The formal safeguards of the Regulation thus risk remaining ineffective.
In 2024, 2.467 asylum applications were recorded at the regional structures of the IGI, 75.7% fewer than the number of applications recorded in 2023. 51.2% of asylum applications were submitted to border police units. Most applications were submitted by nationals of Syria (-1146 in 2024 compared to 2023), Iraq (-96 in 2024 compared to 2023) and Nepal (-663 in 2024 compared to 2023).[26] Access to the labour market has become increasingly difficult for asylum seekers and beneficiaries of international protection, not only because of language barriers, but also as a result of increasingly pronounced anti-migrant and xenophobic rhetoric at national and European level.
As regards non-EU economic migrant workers, according to IGI data, “the total number of temporary residence permits for employment purposes valid as at 31 December 2024 is 100.447”, and in the same year, “the number of rejected applications for the extension of the right of residence for employment purposes was 625”.[27] The IGI also shows that, as of 31 December 2024, citizens of Nepal held the highest number of residence permits for employment (30.578), followed by those from Sri Lanka (18.505), India (9.734), Bangladesh (7.346) and Turkey (6.558).
This reality is directly relevant to the risk of ethnic and racial profiling inherent in the screening system analysed in Section III. In a context where migrant workers predominantly come from South Asia and Africa, they already face documented discrimination in the labour market and in their dealings with state institutions, including abusive practices by employers and systematic barriers to accessing rights, as highlighted in recent research.[28] The application of a control system based on nationality reproduces and amplifies existing inequalities, without the Regulation providing for corrective mechanisms.
A recent study[29] documents the typical journey of a non-EU migrant worker who ends up in an irregular situation in Romania as a result of a chain of institutional dependencies and structural abuses. Until they obtain a single permit, workers are entirely dependent on their employers and state institutions to secure their legal status. This dependency, combined with legislative loopholes and abusive practices, leaves many foreign workers vulnerable to exploitation and human rights violations. The introduction of the European Return Order into SIS II transforms the situation of these individuals (already vulnerable in their dealings with employers, immigration authorities and the administrative system) into a risk profile accessible to thousands of competent authorities across the EU, including police forces in the states to which workers might travel in search of alternative employment. This means that the institutional dependencies and structural abuses documented at national level take on a cross-border dimension, without the individual having effective mechanisms to challenge or rectify the situation. Their biometric data, collected in the context of an administrative labour procedure or a border check, will become tools of a cross-border surveillance apparatus.
VI. CONCLUSIONS
Eurodac, the Screening Regulation and the Return Regulation are not independent legislative instruments, but components of an integrated system of total digital surveillance of non-EU migrants, starting with children from the age of 6. From biometric registration at the border, to the storage of data in interconnected databases accessible to criminal law enforcement authorities, to the inclusion in SIS II of a European Return Order enforceable throughout the Schengen area, to the possibility of return to a third country with no connection to the person concerned. These instruments create a regime whose cumulative effect is the criminalisation of vulnerability.
The system thus constituted raises issues of compatibility with Article 8 of the ECHR (right to respect for private life), Article 14 of the ECHR (non-discrimination), Article 5 of the ECHR (right to liberty and security), Article 13 of the ECHR (effective remedy), Article 3 of the ECHR (prohibition of inhuman treatment, in the context of return hubs), as well as Articles 7, 8, 21, 24 and 47 of the Charter of Fundamental Rights of the EU and the basic principles of the GDPR.
Bringing this legislative framework into line with human rights standards requires specific amendments to the relevant legislation:
- making access by criminal authorities to Eurodac and SIS II conditional upon the existence of a prior judicial warrant;
- requiring a mandatory impact assessment of the effects on fundamental rights prior to the adoption of the Return Regulation;
- requiring the removal of the automatic inclusion of asylum seekers or vulnerable persons in security databases;
- to secure the removal of return hubs from the final text;
- to establish an effective right of access, rectification and erasure of data from Eurodac and SIS II, with accessible judicial review;
- to ensure that challenging a return decision has automatic suspensive effect.
Romania is now a Schengen external border state, a destination country for a growing population of non-EU migrant workers mainly from South and South-East Asia, and a state with insufficient institutional capacity in relation to its obligations under the Pact on Migration and Asylum. The application of the Screening Regulation, Eurodac and the Return Regulation to people who are already vulnerable will amplify existing vulnerabilities, as empirically documented, will transform administrative data into tools for cross-border tracking, will subject people to biometric procedures whose basic procedural rights are not guaranteed in practice, and will codify, at European level, a control model that treats victims of exploitation as potential security risks.
No human being is illegal, and no right is less important than another, including the right to privacy, data protection and human dignity.
[1] EU Regulation 2024/1358, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02024R1358-20240522
[2] EU Regulation 2024/1356, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02024R1356-20240522
[3] EU proposal for a Regulation on return, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52025PC0101
[4] Directive 2008/115/EC
[5] Press release, Council of the EU, General position on the proposal for a Return Regulation, available at: https://www.consilium.europa.eu/ro/press/press-releases/2025/12/08/council-clinches-deal-on-eu-law-about-returns-of-illegally-staying-third-country-nationals/
[6] Charter of Fundamental Rights of the EU, available at: https://eur-lex.europa.eu/legal-content/RO/TXT/PDF/?uri=CELEX:12016P/TXT
[7] EU Regulation 2016/679 – GDPR, available at: https://eur-lex.europa.eu/legal-content/RO/TXT/PDF/?uri=CELEX:32016R0679
[8] Charter of Fundamental Rights of the EU, Art. 24(2): “In all actions relating to children, whether taken by public authorities or private institutions, the child’s best interests must be a primary consideration.”; UN Convention on the Rights of the Child, Art. 3(1): “In all actions concerning children, whether undertaken by public or private social welfare institutions, courts of law, administrative authorities or legislative bodies, the best interests of the child shall be a primary consideration.”
[9] European Travel Information and Authorisation System.
[10] Regulations (EU) 2019/817 and 2019/818 on the interoperability of EU IT systems, available at: https://eur-lex.europa.eu/eli/reg/2019/817/oj/ron and https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02019R0818-20250128
[11] Recital 60 of REGULATION (EU) 2024/1689 acknowledges that these systems “affect individuals who are often in a particularly vulnerable position” and that their “accuracy, non-discriminatory nature and transparency” are “particularly important to ensure respect for fundamental rights”, available at: https://eur-lex.europa.eu/legal-content/RO/TXT/?uri=CELEX:32024R1689
[12] Charter of Fundamental Rights of the EU, Article 52(1): “Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, restrictions may be imposed only where they are necessary and only if they are effective in achieving objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.”
[13] CJEU, Case C-362/14, Schrems v Data Protection Commissioner, available at: https://eur-lex.europa.eu/legal-content/RO/ALL/?uri=CELEX:62014CJ0362
[14] Article “The Dark Side of EURODAC”, The Regulatory Review, 24 October 2023, available at: https://www.theregreview.org/2023/10/24/krishnan-the-dark-side-of-eurodac/
[15] ECHR, CASE OF S. AND MARPER v. THE UNITED KINGDOM, applications nos. 30562/04 and 30566/04, judgment available at: https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-122082%22]}
[16] European Border and Coast Guard Agency: https://www.frontex.europa.eu/
[17] FRA, Fundamental Rights Report 2024, available at: https://fra.europa.eu/sites/default/files/fra_uploads/fra-2024-fundamental-rights-report-2024_en.pdf
[18] Press release, Human Rights Watch, available at: https://www.hrw.org/news/2025/09/16/more-than-200-organisations-inhumane-deportation-rules-should-be-rejected?fbclid=IwY2xjawQmUgtleHRuA2FlbQIxMABicmlkETF4TFhLOUNDbDNHSXRrMnFPc3J0YwZhcHBfaWQQMjIyMDM5MTc4ODIwMDg5MgABHp94ErARggkNSAFvzqXYG2gCITTEe-XmBt71fvEWyR0ZfawQxnm5vO7Ju6gf_aem_FUyjDIMTG6VdfuFtf-ANpw
[19] Articles 7–9 of the EU Proposal for a Regulation on return.
[20] Article “Longstanding failings in police databases likely to worsen under new deportation law”, Statewatch, available in English at: https://www.statewatch.org/news/2025/june/longstanding-failings-in-police-databases-likely-to-worsen-under-new-deportation-law/
[21] Article “Italy: The end of the systematic denial of data protection rights?”, Statewatch, available in English at: https://www.statewatch.org/analyses/2025/italy-the-end-of-the-systematic-denial-of-data-protection-rights/
[22] Press release “Migration management: data protection is one of the last lines of defence for vulnerable individuals”, EDPS, available in English at: https://www.edps.europa.eu/press-publications/press-news/press-releases/2025/migration-management-data-protection-one-last-lines-defence-vulnerable-individuals_en
[23] Ibid. 17
[24] Council Decision of 12 December 2024, available at: https://eur-lex.europa.eu/legal-content/RO/ALL/?uri=CELEX:32024D3212
[25] JRS Romania, Country Report: Number of staff and nature of the first instance authority, available in English at: https://asylumineurope.org/reports/country/romania/asylum-procedure/general/number-staff-and-nature-first-instance-authority/
[26] National Immigration Strategy 2026–2030 (Annex to the Government Decision, approved in 2025, available at: https://webapp.mai.gov.ro/frontend/documente_transparenta/793_1773733302_Anexa%20nr.%201-%20SNI%202026-2030.pdf
[27] Research ‘A day in the life of a migrant worker’, 2025 Legal Resource Centre, available at: https://www.crj.ro/wp-content/uploads/2025/08/Cercetare-muncitori-migranti_AFCN.pdf
[28] Ibid. 27
[29] Ibid. 27