Document Actions

You are here: Home Online Magazine research & discover A Philosophical Perspective on …

A Philosophical Perspective on EU Security Initiatives

University of Freiburg Philosopher and jurist Elisa Orrù has analyzed European Union data banks

Freiburg, May 25, 2022

Is the surveillance of citizens by European Union (EU) security authorities legitimate? Philosopher and jurist Dr. Elisa Orrù has dedicated herself to this issue. At the end of last year, her University of Freiburg postdoctoral thesis was published in book form. Orrù is a lecturer at the Centre for Security and Society (CSS) of the University of Freiburg. She directed Freiburg’s research contribution to the EU project TRESSPASS on ethical questions regarding digitized and artificial intelligence (AI) supported security checks. Thomas Goebel spoke with her about power, surveillance, and data banks.

"The EU empowers individual countries to gather and evaluate data on an individual, even though this person hasn’t done anything illegal at all," explains Dr. Elisa Orrù, a staff member at the Centre for Security and Society (CSS) at the University of Freiburg. Photo: mixmagic /

Ms. Orrù, how has digitization changed the work of European security authorities?

Elisa Orrù: Digitization on the whole has had major effects on European security policies, especially in terms of networks, because responsibilities are still mainly with the individual countries. That’s why big data banks play an important role.

Which of these EU data banks have you analyzed?

One is the Schengen Information System (SIS), the oldest of the EU’s data banks. It contains, for example, data on individuals who are being sought by the authorities or who are not allowed to enter the Schengen area. At the beginning, only data such as name and date-of-birth were stored. Since then, an increasing amount of biometric data, such as digital fingerprints and biometric passport photos have been added. Another system I examined is the one based on what is known as the Prüm Convention of 2008. This is actually the networking of national data bases which above all contain the DNA data of individuals who have been linked to a crime. Meanwhile, there has been a tendency to make different European data banks interoperable, meaning that systems which were formerly separate from each other are now linked. Ultimately, this could lead to a centralized data bank for biometric data.

You’ve also taken a look at a third EU data initiative, probably the least known of the three.

Yes, and it’s also the most interesting. It’s the directive on flight passenger data sets, the Passenger Name Record (PNR). In 2016, the EU required member states to set up centralized national data banks for this. They contain information that the countries receive from the airlines when a person books a flight. The EU required this only for flights outside of the EU but left the countries the option of including inner-European flights as well. Nearly all of the countries did that, including Germany. What gets stored, for example, is how the flight is paid for, whether the passenger has excess luggage, or if the booking is made together with another person. The Federal Criminal Police (BKA) gathers this data in Germany. Then it is compared with certain patterns and a threat ranking is assigned to every single person. What I find surprising is that there’s so little opposition to this.

There weren’t any protests?

There were a few cases filed with the European Court of Justice (ECJ), including one based on an initiative of a German organization called the “Society for Civil Rights e.V.” (“Gesellschaft für Freiheitsrechte, e.V.” (GFF)). But I think the public debate is really modest, particularly given that ultimately, every citizen is first placed under suspicion. The assessments are passed on to the border control authorities and shared with other EU authorities in certain cases.

What accounts for your legal-philosophical perspective on these issues?

Security and power are always the focal point of legal and political philosophy. According to Thomas Hobbes, for example, the state is legitimized through its guarantee of security. The citizens must transfer the right to exercise force to the state, but only so that it ensures that we no longer go around killing each other. That’s the state’s monopoly on the use of force. Hobbes did adopt an authoritarian course, but he was the first to demand that citizens had to legitimize the state by forming a contract with it, and the state in turn then had to guarantee basic rights. That’s the beginning of modern political philosophy.

What does that mean for the EU initiatives that you’ve analyzed?

Political power, including that of the EU, exists in order to solve specific problems – here, those of order and security. This power has to be exercised in such a way, however, that it neither reproduces nor even magnifies the problems that it is intended to solve. That’s why it must be limited. If we look at the tendency towards a common biometric data bank, and above all, the handling of flight passenger data, in my opinion, it’s questionable if the balance between government power and individual rights is still being maintained.


The EU empowers individual countries to gather and evaluate data on an individual, even though this person hasn’t done anything illegal at all. It’s not a matter of whether a flight was paid for with a stolen credit card, but whether it was paid for in cash or with a card. If a person pays cash and has heavy luggage and is flying to Turkey, those facts can, in connection with other criteria, lead to the traveler being given a high threat rating in Germany, because they could be traveling on to Syria as a fighter for “Islamic State.” Many of the criteria aren’t even known because the authorities don’t want to reveal them. That means citizens don’t even know how they should behave simply to be left alone. And I think that’s quite dangerous for a democratic country under the rule of law.

In your opinion, what would a system of surveillance that upheld the values of democracy and rule-of-law look like?

In the background there is a fundamental question of whether surveillance can ever be legitimate. I think so. This is when it is used to pursue specific objectives and it is well-monitored. With respect to the EU, there should in any case be clearly augmented oversight of the measures and transparency as well. There haven’t yet been any reasonable studies on the storage of flight passenger data – whether something like that is effective, or if you can really identify terrorists with it. Neither the number of citizens whose data is being analyzed, nor the error rate of the threat assessments is known. In my opinion, the individual countries should be required to pass on such critical data to the EU and the EU must be required to publish it. And in addition to the courts, there has to be an oversight body, for example a parliamentary committee, that continually evaluates such measures and also has the capability to suspend them.

But aren’t the data collections of tech companies like Meta/Facebook or Alphabet/Google much more problematic?

That’s true. What tech companies do with data goes far beyond what the EU authorities do. You shouldn’t underestimate the surveillance being done by commercial entities. That’s urgently in need of more stringent regulation. Nevertheless, there’s a difference. Google can’t lock anyone up, but the government authorities can, ultimately. That’s why what they’re doing requires special limitation.


E. Orrù, Legitimität, Sicherheit, Autonomie. (Legitimacy, Security, Autonomy) Eine philosophische Analyse der EU-Sicherheitspolitik im Kontext der Digitalisierung (A philosophical analysis of EU security policy in the context of digitization), Baden-Baden: Nomos, 2021. Open access version:

Website Website of the Centre for Security and Society (CSS) of the University of Freiburg