Biometrics - the EU takes another step down the road to 1984
- biometric documents for visas and resident third country nationals to be introduced by 2005
- biometric passports/documents for EU citizens to follow
- "compulsory" fingerprints and facial images
- data and personal information to be held on national and EU-wide databases
- admission that powers of data protection authorities cannot cope
- no guarantees that data will not be made available to non-EU states (eg: USA)



The European Commission has produced two draft Regulations (25.9.03) to introduce two sets of biometric data (fingerprints and facial image) on visas and resident permits for third country nationals by 2005. The biometric data and personal details on visas will be stored on national and EU-wide databases and be accessible through the Visa Information System (VIS) held on the Schengen Information System (SIS II). The proposal is silent on whether the biometrics and data on third country nationals will also be held on the SIS, though it is clear that national registers of third country nationals resident in every EU member state will be created (a long-standing demand by the German government will thus be put into practice). That this same information will also be held on the SIS is inevitable.

Another proposal for the inclusion of biometrics and personal data: "in relation to documents of EU citizens, will follow later this year"

Tony Bunyan, Statewatch editor, comments:

"These proposals are yet another result of the "war on terrorism" which show that the EU is just as keen as the USA to introduce systems of mass surveillance which have much more to do with political and social control than fighting terrorism.

To the proposed surveillance of all telecommunications is added the control of movement of all visitors and third country nationals, to be followed by that of EU citizens too. How long will it be before there will be a compulsory EU identity card? All the data will be held on the EU-wide Schengen Information System which can be accessed by tens of thousands of officials - how long will it be before biometrics collected for travel documents will be used for other purposes?

As to data protection, no new powers should be taken to collect personal data until national data protection authorities are given proper investigative powers and finance and the European Commission itself demonstrates a willingness to actually enforce the 1995 Directive"



The Commission's proposals are explicitly presented as a response to "September 11, 2001" to "improve document security" in order to "detect people who try to use forged official documents in order to gain entry to European Union territory". What is extraordinary is that the EU adopted two Regulations just last year (on visas - 334/2002/EC and residence permits -1030/2002/EC) as a response to the need for security including the introduction of photographs on both sets of documents. It was last autumn that the Benelux countries - Belgium, Netherlands and Luxembourg - said this was not good enough and that biometric data should be included too. The German government backed this idea.

This proposal from these four EU member states was endorsed at the Informal Justice and Home Affairs Ministers meeting in Veria, Greece on 28-29 March. According to the Commission document:

"Commissioner Vitorino undertook to present a proposal, at the same time emphasising that a coherent approach should be taken in respect of all travel documents, including the passports of EU citizens"

Mr Vitorino was echoing the views of the majority of EU governments and, like them, used the US demand that passports had to carry biometric data by October 2004 to try and legitimate the move - which is hardly logical as most EU citizens will never visit the USA or indeed may not want to.

The Thessaloniki Summit under the Greek Presidency of the Council on 19-20 June endorsed the approach agreed at the Informal JHA meeting and added that there should be a "harmonised solution" between biometric data on travel documents and "information systems (VIS and SIS II)". VIS is the Visa Information System which will comprise National Visa Information Systems (N-VIS) and a Central Visa Information System (C-VIS). The Summit Conclusions, like the Commission document, is silent on the question of whether biometric and personal data will also be held on the second-generation Schengen Information System, SIS II on all resident third country nationals and EU citizens.

What is particularly objectionable about the two proposals is that the two groups who will be affected first are resident third country nationals who are largely migrants from the Third World and those needing visas to enter/visit. People from most Third World - 135 countries - need visas to enter, but the "white list" or countries who can enter without visas will not be affected - there are 33 countries on this list, 12 of whom are EU accession/applicant countries - the remaining 31 countries include USA, Canada, Australia, New Zealand, Japan, Israel, Switzerland, Croatia, South Korea, Singapore, Mexico and eight South American countries.

Fingerprints and facial images



The Commission is proposing that two biometric identifiers are taken from individuals, a digital photograph as a "facial image" and fingerprints which will both be stored on a contactless-chip embedded in a document. The collection and storing of the "facial image" is to be "mandatory" to which a second biometric identifier, fingerprints are to be added.

The Commission is clearly aware that much of the technology needed for "facial images" is still under development while finger-printing "is the oldest and most mature identifier". Facial images are to be used in two forms with the choice up to member states. The simplest technology is already available by which a "high resolution electronic portrait" is held on the chip as a photo which can be called up to check against for example at a border crossing. The more advanced "facial recognition systems" check the image in the chip on the document against the centrally-held data on a person.

The second biometric identifier, fingerprints, "should not be left to the discretion of Member States". A feasibility study carried out by the Commission on the VIS system recommended that all ten fingerprints should be taken. But because the capacity of currently available contactless chips is small only two fingerprints will be mandatory - the error rate (wrong identification or wrong clearance) on two fingerprints is much much higher than with ten.

The Regulation and financial impact



The Commission has proposed the two new measures in the form of a Regulation which applies across the EU to every member state and leaves them no discretion, rather than a Directive which leaves some discretion on its implementation. The Regulation will result in the:

"total harmonisation of the layout of such documents, and their biometric identifier, thus leaving no room for discretion to the Member States"

The biometric and personal data will be stored on a "64k chip" leaving member states room to "add some alphametric data". The haste with which the Commission's proposals have been prepared is evident when it comes to costs: "The cost of microchip is not yet known" and they seem to be depending on the collective demand for chips by 25 states reducing the costs. It also appears that one-fingerprint systems are much cheaper than for more fingers. Individuals will be expected to "enrol" (although this "enrolment" will be compulsory) so that the two biometric images can be captured.

This is just the start of the costs, the creation of national databases, "enrolment equipment", "verification systems" at border posts are others.

How is data protection is possible when the present system cannot cope?



The Commission goes to great lengths to try and stress privacy and data protection. The two proposed Regulations say that no information should be stored on the chip unless it is covered by the "Regulation, its Annex or unless it is mentioned in the relevant travel document". The Annex has not yet been published and travel documents from another country could hold, in time, additional personal data.

Although the Commission says that the data held will come under the EC 1995 Directive on data protection it also highlights the inadequacy of the data protection regime at national level across the EU. These authorities are "under-resourced" as the first report on the 1995 Directive found (this first report took eight years to produce). Lack of resources "may affect independence" and there are "serious concerns" over their ability to carry out their existing roles.

To this might to added that the powers of investigation of national data protection authorities varies greatly from state to state, as does the size of their staff and budget. Most are under-resourced and few have "investigative powers" which are meaningful (ie: the power to arrive unannounced to carry out an inspection).

Added too might be the fact that the EU has already undermined the principles of the 1995 Data Protection Directive under the Europol-USA agreement and the recent EU-US agreement on mutual cooperation on extradition and judicial cooperation - and may well follow this by conceding to US demands for access to data on airline passengers.

Sources:

1. Commission proposal for a Regulation on biometrics documents:
COM (2003) 558 (pdf)
2. EU list of countries who do and do not need visas to enter/visit:
Visa lists (pdf)
3. Statewatch broke this story on 19 June 2003:
EU Summit: Agreement on "harmonised" biometric identification linked to EU databases
4. Statewatch Observatory on Surveillance in Europe:
S.O.S. Europe

To get regular updates:
Join Statewatch news e-mail list
Statewatch monitors and reports on civil liberties in the European Union: About Statewatch


Statewatch News online | Join Statewatch news e-mail list | Download a free sample issue of Statewatch bulletin

© Statewatch ISSN 1756-851X.Material may be used providing the source is acknowledged. Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement.