Statewatch News online: Proposal for biometrics on all EU citizens' passports

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

The road to "1984" Part 2
EU: Everyone will have to have their fingerprints taken to get a passport

- everyone wanting a passport will have to "enrol" and have a digitised picture taken which is then stored on a microchip in the passport

- a centralised, biometric-based, "European Passport Register" will be set up and then it will become compulsory for everyone to give their fingerprints too

- all EU citizens holding passports, every resident third country national and everyone visiting the EU with a visa will have their personal biometric "identifiers" plus personal data stored on the new generation Schengen Information System (SIS II)

- all ID cards should also contain biometric data

- this will enable the wholesale surveillance of all movement not just into the EU but within the EU too

For EU citizens getting a passport is quite straightforward, you fill in the form, get your picture taken in a photo booth and simply post both to the passport office. This simple process is about to change: to get a passport you will have to present yourself to an "enrolment centre" where a special picture will be taken of you and then you will have to have your fingerprints taken. These will then be held on a European database with personal data.

On 18 February the European Commission adopted a proposal for a binding Regulation to bring in biometric personal data - a facial image with an option for fingerprints as a second identifier - on all EU passports. Everyone wanting a passport will have to "enrol" in "enrolment centres" (the term makes it sound like a voluntary step) where their pictures will be taken with special cameras. These "pictures" will be digitised and made into a template which will be put onto a microchip in the passport (which may be a paper passport or a plastic card). These "pictures" and identifying personal data will be placed on national databases which can be accessed by law enforcement agencies (police, customs, immigration and internal security agencies). In stage 2 a "European Passport Register" will be set up and at this stage the giving of fingerprints will also become compulsory. This biometric "Register" will join the VIS database (on all visas issued) and residence permits on the planned SIS II.

The political decision to introduce compulsory biometric identifiers, first on visas and residence permits and then on passports, was taken at two Informal meetings of Justice and Home Affairs Ministers (in February 2002 and then in March 2003). The Commission argued for a so-called "coherent approach" for "all travel documents, including the passports of EU citizens". These decisions were not reported at the time. It was the European Councils (the meeting of EU prime ministers) at Thessaloniki in June 2003 and later in Brussels on 12 December 2003 who formally endorsed the proposal. A secondary reason for bringing in biometrics on EU passports, the Commission argues, is that the USA is demanding them on passports too.

The legal basis for the proposal is highly dubious, see: Commission’s EU biometric passport proposal exceeds the EC’s powers, Statewatch legal analysis concludes that: "no powers conferred upon the EC by the EC Treaty, taken separately or together, confer upon the EC the power to adopt the proposed Regulation": Legal analysis

The proposal is that a "facial image" will become the primary biometric identifier and the decision to include fingerprints as a second would be up to decision-making at national level.

In justification the Commission first presents an utterly circular argument - because the decision had already been taken to introduce biometric data on visas and residence permits EU passports "should not lag behind". And further that there must be "coherence" as "malafide persons" might decide not to get a visa or a residence permit (as if they have any choice) and try and get:

"the less secured passport and identity card of EU nationals, the latter documents should also be upgraded"

Yes, the Commission is also slipping in the proposal that all ID cards should also have biometric data. While at the:

"EU level, a centralised, biometric-based "EU Passport Register" which would contain the fingerprint(s) of passport applicants together with relevant passport number and most probably some other, but limited, relevant data... could be created"

Wait a minute, were not fingerprints to be an optional second identifier? Here the Commission is saying they would be mandatory.

They also argue that the:

"harmonisation of security features including biometrics for the European passport would also have a big impact on our relations with third countries, for example the USA"

The measure would also meet the "Recommendations" adopted by the ICAO (International Civil Aviation Organisation) - but these "Recommendations" were written the USA and leading EU states, notably the UK.

Choice of biometric identifiers

The Commission's argument on which biometric identifier to use is embarrassingly tortuous. The Commission has argued for a "coherent approach" and the "harmonisation" of security features so having proposed two mandatory identifiers, facial image and fingerprints, for visas and residence permits it would be logical that EU passports should have the same ones - but not so, the Commission argues:

"coherence with the proposals on visa and residence permits of course does not necessarily mean that for each area, an identical solution should be adopted"

Why "of course", why not? No argument is offered.

But there is a clue in the last sentence of the same paragraph:

"This will change with the second step, the creation of the European Register for issued passports. In this case, the fingerprint has to be taken and registered in order to enable background searches (one-to-many)" (emphasis added)

Could it be that the Commission thinks people might object to having their fingerprints taken in order to get a passport and they want to put this off until "step 2"?

And what of the initial, mandatory identifier, "facial images"? Well, the technology is not in place and will not be for a long time in most countries. So initially they propose relying on "the high resolution electronic portrait" or in plan language the kind photos currently used and taken in a photo booth in the shopping centre - this they will "digitise" and put on the chip - which will allow "one-to-one" checks to be made at "borders" (external borders or internal borders?). Later when the technology is in place "facial recognition systems with a digital photo" will be taken when you "enrol". This "facial scan" will plot 1,800 distinctive features of your face, then be transferred to a template and the image transferred to the microchip in your passport.

"one-to-one" simply means checking that you are the same person as the document you are carrying. "one-to-many" means the border official checks your biometrics against the whole database of millions and millions. But did not the Commission's own report on the visa system (VIS, which is planned to hold a mere 70 million records over the first ten years) say that the more individual biometrics you put into the database the greater the error rate?

How is data protection is possible when the present system cannot cope?

The Commission says that the data held will come under the EC 1995 Directive on data protection but the section on data protection is "economical with the truth". It repeats word for word the first part of the section on data protection from the proposal to bring in biometrics for visas and residence permits but leaves out more critical comments. The proposal on EU passports notes that data protection authorities "have a particular lack of resources" and leaves out the following previous comments:

"Resources difficulties may affect independence. Independence in the taking of decisions is a sine qua no for the correct functioning of the system... if these tendencies are confirmed, they are reasons for serious concern.."

However, it is not just a question of resources it is also the fact that the powers of investigation of national data protection authorities varies greatly from state to state, as does the size of their staff and budget. Most are under-resourced and few have "investigative powers" which are meaningful (ie: the power to arrive unannounced to carry out an inspection).

There are substantial reasons for believing that the way the 1995 Directive on Data Protection operates will offer few safeguards and further that there seems to be little political will either by the Commission and EU governments to make the Directive effective. It took eight years for the Commission to produce the first annual report on the 1995 Directive. This highlighted a number of concerns but we have yet to see any proposals to meet them.

Added to this has been the systematic undermining of the protection offered by the 1995 Directive in the Europol-USA agreement, the EU-USA agreements on extradition, the passing of passenger data to the USA (PNR) and a multitude of agreements between Europol and third countries.

Storage medium, "enrolment" equipment

Biometric data is to be stored on a "contactless microchip". The ICAO has recommended a minimum size of 32k, the Commission is proposing a 64k chip for two reasons. First,

"as it might be necessary to store a facial image and fingerprint images"

and second because:

"Member States [may] wish to add some alphanumeric data"

The proposal is very vague on detail. For example, "the cost of such microchip is not known". Whereas for visas and residence permits the proposal is to take two fingerprints (because the technology for taking all ten fingers is expensive) this make no recommendation - it does say "equipment for the enrolment of ten fingers (flat) costs roughly seven thousand euro" (about £5,000 and a lots them them would be needed). "Verifications systems" also have to be installed at every border post (to check EU passports, visas and residence permits).

How the system will work

The Regulation to include biometrics on EU passports will be binding on all EU member states. It will come into operation within one year of the technology and equipment being in place.

In some member states it will start with "digitising" existing passport photos, in others "facial recognition systems with a digital photo" will require a person to be "enrolled" for the taking of a special image (logging up to 1,800 special "characteristics" of a person's face), and in others this will be supplemented by the taking of fingerprints too.

This biometric data will be stored:
i) on a microchip in the EU passport and
ii) on a national database.

During this "stage 1" the micro-chipped biometric passport will be checked on a "one-to-one" basis (are you the person you say you are on your documents) and "one-to-many" on national databases. Initially border checkpoints will be largely "one-to-one".

In the "2nd stage" a centralised, biometric "European Passport Register" will be created from the national databases. At this stage two biometrics will be required on "enrolment" - facial scans and fingerprints. This "Register" will be held on the Schengen Information System (SIS II).

As passports have to be renewed every ten years new "start-of-the-art" microchips will be inserted every time.

There are no proposals to make the 1995 Directive on Data Protection work properly.

Tony Bunyan, Statewatch editor, comments:

"This is one of the most badly drafted proposals to come out of the Commission, there is no timetable, no costings and it is legally highly dubious. There are no plans, or political will, to make data protection effective in protecting the right to privacy or to guard against the misuse and abuse of the data.

The rationale for the measure is another response to 11 September and the "war on terrorism". It has little to do with combating "terrorism" and a lot to do with the demands of the law enforcement agencies for the surveillance of everyone's movements.

This measure, together with many others in the pipeline at EU and national level, are geared to creating a society where everyone's movements and communications (by phone and e-mail) are subject to surveillance, where everyone is a "suspect". Such a society has more in common with an authoritarian state than a democracy"


1. Proposal for a Council Regulation on standards for security features and biometrics in EU citizens' passports (pdf)

2. Commission’s EU biometric passport proposal exceeds the EC’s powers, Statewatch legal analysis concludes that: "no powers conferred upon the EC by the EC Treaty, taken separately or together, confer upon the EC the power to adopt the proposed Regulation": Legal analysis

3. EU: Security research programme to look at creating "smart" biometric documents which will "locate,identify and follow the movement of persons" through "automatic chips with positioning": Report and documentation

4. Commission proposal for a Regulation on biometrics documents for visas and residence permits for third country nationals: COM (2003) 558 (pdf)

5. Article 29 Data Protection Working Party opinion on biometrics (WP 80) (pdf)

6. Biometrics - EU takes another step down the road to 1984, biometrics on visas and residence permits: Report

Statewatch News online | Join Statewatch news e-mail list | Download a free sample issue of Statewatch bulletin

© Statewatch ISSN 1756-851X. Personal usage as private individuals/"fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.


Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error