DATAGOV Blog

When people joke about mass surveillance, they usually think of NSA intelligence officers listening in on your phone calls. But that image is outdated. Today’s surveillance system do not need to spy on suspects individually. It records everyone, all the time. It passively collects data about everyone, indiscriminately, so that when someone becomes “of interest,” all that remains is to search. But contemporary data infrastructures go one step further. Through algorithmic profiling and risk-scoring systems, they automate the process of deciding when someone becomes “of interest.” Surveillance now becomes permanent and automated.

Unfortunately, this is a global trend. With our world governed more and more through data, surveillance is no longer something done to criminals or at borders. Instead, it becomes a background condition of every person’s daily lives. And the EU is no exception.

I have heard many people saying “oh but that’s fine, as long as you have nothing to hide, then you have no reason to be scared.” But that is not the point, this form of surveillance changes our fundamental rights as citizens. Privacy stops being a default but instead is granted conditionally by the algorithms that process your data as ‘not suspicious’. Innocence is no longer a right you have which the state is obliged to uphold to you. It becomes a technical status that needs to be verified through data before any ‘obligation’ is exercised . In the simplest terms, we are no longer innocent until proven guilty, we are suspicious until calculated innocent. So, it is not about whether you have something to hide, it is about what you have the right to as a citizen.

Let me explain further with the case of policing and migration databases in the EU. eu-LISA was created in and was designed to manage all the security databases in the EU. The European Commission assigned it the role to maintain digital policing systems like the European arrest warrant, migration databases like VISA and border crossing tracking. eu-LISA’s goal was simple; make sure these systems work technically and then Europe will have better access to information about criminals, illegal border crossers, and potential terrorists. Then Europe will be safe.

These databases were created separately. Each system operated under a different legal regime, with different access rules and purposes. This fragmentation limited how data could be reused and helped prevent information collected for one reason, like applying for a visa, from automatically becoming policing intelligence. Their separation was not an oversight but a safeguard.

From a rights perspective, fragmentation matters. It reduced the risk that people would be continuously tracked across domains of life, preventing continuous surveillance of citizens and people more generally.

But big data technologies do not work statically. The technologies create a demand for more data by internalizing an operational logic of ‘more data is better.’ So, from this perspective, experts in charge of implementing these technologies at eu-LISA start to see fragmentation increasingly as a problem. Fragmentation was then increasingly framed as a security risk: it enabled “identity fraud,” and allowed people to move across Schengen without being fully visible to authorities. The same person could appear multiple times across systems without being recognized as the same individual. A person could be registered as an asylum seeker, a visa applicant, or a suspect all at the same time without the systems automatically linking their identities.

The EU adopted a technical ‘fix’ to the problem: link databases at the level of the body. Fingerprints and facial images were framed as neutral, objective identifiers that are more reliable than names or document. By using biometrics, the EU created a supra-layer with the Central Identity Repository (CIR) linking migration, policing, and border control data together without formally merging the databases themselves. The legal separation remains on paper, but biometric matching quietly bridges the databases in practice.

What emerges is not simply connected databases, but a unified assessment infrastructure. Instead of checking you at specific institutional moments, the system now continuously evaluates your identity across domains. This is why the old image of the NSA agent listening to phone calls is misleading. Surveillance today is not primarily about someone watching you. It is about data infrastructures that silently talk to each other and sort. No one needs to suspect you personally. The interoperable system continuously evaluates whether your data is coherent, whether your biometric markers match, whether your profile raises anomalies. Suspicion is thus no longer an event, it is a continuous measure.

And this is the real transformation. Privacy is no longer the background condition of citizenship; it becomes something you retain as long as your data behaves. Innocence is no longer presumed, it is computationally confirmed. Rights are no longer exercised first and restricted later; they are conditionally activated through technical verification. The question is therefore not whether you have something to hide. The question is whether citizenship itself is being rewritten as a continuous performance of calculable trustworthiness.