As the clock ticks down to the launch of a new EU large scale border management system, the European Travel Information and Authorisation System (ETIAS) in autumn 2026, momentum is building to prepare ETIAS for entry into operation and ensure its compliance with data protection law, and other fundamental rights under the EU Charter of Fundamental Rights.
Through its role in the ETIAS Fundamental Rights Guidance Board (EFRGB), the EDPS follows the implementation of ETIAS at close quarters, and provides guidance that links the right to protection of personal data, with other key fundamental rights affected by the operation of this new system. The EFRGB’s recent guidance on ensuring the right to an effective judicial remedy for applicants, in which the EDPS took an active role, illustrates this approach.
What is ETIAS and who are the EFRGB?
Similar to the US ESTA program, ETIAS is designed to pre-screen travellers from countries that do not require a visa to enter the EU, before they arrive at European borders; this pre-screening will enable authorities to assess the level of risk travellers pose, in terms of potential irregular immigration, security or health threats. By requiring travellers to submit an online application that includes extensive personal data such as travel plans, family details and passport information, ETIAS aims to ensure that individuals who pose potential risks are flagged before entry. However, this pre-screening involves highly sensitive forms of data processing: automated cross-checking against EU and international migration and law enforcement databases; algorithmic profiling of applicants against pre-defined risk groups; and the creation of a watchlist of individuals deemed to pose security threats.
To help mitigate the risks such processing poses to fundamental rights, the legislator established an ETIAS Fundamental Rights Guidance Board (Article 10 of the ETIAS Regulation). Composed of representatives of the EDPS, EDPB, EU Fundamental Rights Agency, Frontex Fundamental Rights Office and Frontex Consultative Forum, the EFRGB is mandated to issue guidance on the fundamental rights impacts of processing ETIAS applications.
Access to effective judicial remedies in the context of ETIAS
A critical concern for individuals required to apply for an ETIAS is ensuring access to an effective judicial remedy in case they wish to challenge a decision made on their ETIAS application. For instance, a refusal of a travel authorisation could result from a data processing error, which may lead to wrongful denial of entry into the EU. In such cases, individuals may rely on their right to an effective judicial remedy which is enshrined in Article 47 of the EU Charter. It applies to EU and national authorities when implementing EU law, and enables individuals to challenge before a tribunal, the legality of any decision adversely affecting them.
Last year, the authorities implementing ETIAS invited the EFRGB to provide guidance on how to ensure compliance with Article 47 of the Charter, which guarantees the right to an effective judicial remedy. In response, the Board issued a Guidance Note on Fundamental rights considerations when providing information to ETIAS applicants in order to give effect to their right to an effective remedy and to a fair trial.
In that guidance, the EFRGB sets out the key procedural requirements stemming from case law of the Court of Justice of the EU (CJEU) which imposes a set of obligations on ETIAS authorities when issuing negative decisions on applications. These include the duty to document the reasons for a decision, so that the decision can be subject to external review; the duty to communicate those reasons to the person concerned, so that individual can decide with the full knowledge of the relevant facts, whether it is worth bringing an action before a court to contest it; and the obligation to grant access to the file, which - as required by the ETIAS Regulation - should be disclosed in accordance with data protection law.
The ETIAS national authorities and relevant EU agencies (Europol and Frontex) are now examining how to put those requirements into practice. Particular care may be required where a negative decision is based on confidential law enforcement data or sensitive information regarding security threats. In those cases, limitations on the right to an effective judicial remedy under Article 47 of the Charter are permissible under Article 52(1) of the Charter but must meet specific conditions. These conditions require that the limitations be established by law, respect the essence of the right, serve an objective of general interest recognised by the EU, and be proportionate.
ETIAS authorities will also need to reflect carefully on how to ensure compliance with Article 47 of the Charter where an ETIAS decision is based partly on algorithmic profiling. The CJEU has made it clear (Case C-817/19) that a person concerned by such profiling must have had an opportunity to examine all the grounds and evidence on the basis of which a decision has been taken. This includes information that sheds light on how the pre-determined assessment criteria that underpins such profiling works.
The EFRGB provides a laboratory for integrating data protection with other rights under the EU Charter and fostering constructive collaboration with key fundamental rights bodies participating in the Guidance Board. It may serve as an interesting template as the role of data protection supervisory authorities evolves to supervise new technologies such as AI and the wide repercussions they have on individuals’ fundamental rights.