• Home /
• Analyses /
• 2018 /
• Fingerprints in identity cards: who will oppose an unjustified and unnecessary proposal?

Fingerprints in identity cards: who will oppose an unjustified and unnecessary proposal?

Topic

Country/Region

02 November 2018

The Council and the Parliament are both currently discussing their negotiating positions on the proposal for new EU rules on national identity cards and residence documents issued to EU citizens and their family members when they reside in another Member State. The rules would harmonise certain aspects of these documents’ appearance and security features. Unless amendments proposed by left, liberal and green MEPs are taken into account, the Parliament will follow the Council and Commission in approving the mandatory fingerprinting of hundreds of millions of EU citizens.

Mandatory fingerprinting: experts slam the Commission’s proposal

The Commission proposed in April this year to introduce harmonised rules concerning the appearance and security features of Member States’ national identity cards and of residence documents provided to EU citizens and their family members. The rules would introduce a uniform format and include two biometrics – a facial image and two fingerprints, to be stored on a chip. The decision to include fingerprints, set out in Article 3(3) of the proposal,^[1] ran counter to the Commission’s own impact assessment, which concluded that a mandatory facial image and the optional inclusion of fingerprints was the most proportionate policy.

This aspect was highlighted in a previous Statewatch analysis^[2] and has not been missed by subsequent expert opinions on the proposal:

• The European Data Protection Supervisor (EDPS) noted that “the Proposal does not sufficiently justify the need to process two types of biometric data… the Impact Assessment accompanying the Proposal does not appear to support the policy option chosen by the Commission… the EDPS recommends to reassess the necessity and the proportionality of the processing of biometric data (facial image in combination with fingerprints) in this context”;^[3]
• The Fundamental Rights Agency (FRA) highlighted that storing a facial image as well as two fingerprints “is not supported in the impact assessment… The EU legislator must thoroughly assess the necessity of processing and storing two types of biometric identifiers of EU nationals in national identity cards, in case it decides to follow the Commission proposal”;^[4]
• The Meijers Committee was “not convinced that the inclusion of fingerprints is necessary… the need for including fingerprints is not justified by the objective of harmonising national law and thus making lives of EU citizens easier,” because “including fingerprints in national ID Cards is not common practice in the Member States.”^[5]

From harmonisation to new obligation

It is worth recalling the scope of the fingerprinting proposal. Of the 28 EU Member States, 26 issue some form of identity card (the UK and Denmark are the only exceptions). Of those 26 Member States, membership of a card is compulsory in 15 of them. Fingerprinting is currently required in only 10 Member States, with a combined population of 195 million people. They would be affected by this proposal given that once introduced in EU law, there would be no way to reverse fingerprinting requirements through national measures alone.

Meanwhile, 16 Member States would be subject to a new fingerprinting obligation, with a combined population of 175 million people. In total, some 370 million people would be affected by the fingerprinting requirement – that is, all the EU’s “potential ID card holders”, compulsory and voluntary schemes combined – almost 85% of the EU’s 440 million citizens.

A similar picture emerges regarding residence cards given to EU citizens exercising their right to free movement and legally residing in another Member State, and such cards for their family members. A study contracted by the Commission found residence cards for EU citizens contain biometric features in just 10 of 25 EU countries (no information was available on Cyprus, Ireland or Portugal). Residence cards for the family members of EU citizens have biometric security features in 11 countries (of 26, no information being available on Cyprus or Ireland): “The ones most commonly used are facial image, and fingerprints. Signature and iris prints are also used by a few Member States.”^[6] In short, new EU rules would impose an obligation that is not currently in place in the majority of EU Member States.

What is being proposed is thus a massive change from the current situation, concerning an intrusion on the privacy of hundreds of millions of people – and so far, nobody has even attempted to provide a justification for it aside from the Commission’s feeble claim that it is needed “to further increase effectiveness in terms of security.”

From the Commission to the legislators

The opinions of the EDPS, FRA and Meijers Committee have done little to sway the Council, which appears entirely to content to maintain the fingerprinting requirement, thus disregarding one of the basic principles of EU law on data protection and privacy – that any new measure should be both necessary and proportionate.

Over in the Parliament, meanwhile, a common position has not yet been agreed. The draft report for the civil liberties (LIBE) committee put together by Gérard Deprez, a French MEP from the ALDE group (Alliance of Liberals and Democrats in Europe), foresees maintaining the requirement to include two fingerprints.^[7] On 11 October, however, MEPs from other groups submitted their proposed amendments to Deprez’s report, a number of which seek to remove the fingerprinting requirement, as well as introduce various other safeguards and improvements to the text.^[8]

These positive amendments have come from MEPs in the socialist (S&D), left (GUE/NGL) and green (Verts/AEL) groups, as well as some of Deprez’s own colleagues in the ALDE group, and vary in their level of ambition. For example, the S&D amendments propose letting national authorities choose whether to store fingerprints or not – but if they do, they should be “minutiae or patterns, a subset of the characteristics extracted from two fingerprints”^[9].

Cornelia Ernst, a German MEP from the GUE group, proposes deleting the references to fingerprints but making sure that “holograms and/or watermarks “are included on the card, alongside a biometric facial image, “to ensure authenticity check and prevent forgery.” Eva Joly, a French green MEP, highlights that: “The impact assessment concludes that the purpose of security can be achieved by limiting the compulsory storage to facial images.”

The strongest comments included alongside proposed amendments come from Sophia in ‘t Veld and Angelika Milnar, two MEPs from Gérard Deprez’s ALDE group. They state that:

“Inclusion of fingerprints on identity cards has not been proven necessary or proportionate for the purpose of promoting free movement, which is the legal basis of the Proposal. The impact assessment of this Proposal does not contain sufficient justification for the mandatory collection of fingerprints… More than half of Member States do not currently collect fingerprints of their citizens to store on identity cards, so hundreds of millions of EU citizens would become subject to this disproportional measure.”

Opposing these arguments are those from right-wing groups in the EP. Carlos Coelho, a Portuguese MEP from the European People’s Party (EPP), appears largely content with the Commission’s proposals on fingerprinting, although he proposes adding text to ensure that biometric data in an identity card’s chip is “only accessible to the holder, competent authorities and, upon authorisation of the user, to other entities.”^[10]

Anders Primdahl Vistisen and Kristina Winberg (both in the European Conservatives and Reformists group and members of the Danish People’s Party and Swedish Democrats, respectively) are also in favour of maintaining the fingerprinting requirement, and extending the biometric scope of national identity cards in the future. One of their proposed amendments would require the Commission, during a future evaluation of the rules, to examine “the necessity to further propose more advanced and higher accuracy biometric technologies against new types of identity fraud.”^[11] These two MEPs are also in favour of introducing “administrative measures” in national law “for the purpose of ensuring compliance with the collection of biometric identifiers.” No further details are provided, but the phrasing echoes that used to permit the use of force to obtain the fingerprints of asylum-seekers.^[12]

Who is likely to win in this biometric tug-of-war? Of the 60 members of the civil liberties committee, the right and far-right have 31 members (EPP, 17; Europe of Freedom and Direct Democracy, EFDD, 4; ECR, 7; Europe of Nations and Freedom, ENF, 3). However, the three members of the ENF group (home to the French Rassemblement National – formerly the Front National – and the Dutch Freedom Party, amongst others) are opposed to the proposal as a whole. There is one member of the committee without a group (Udo Voigt, a German MEP from the far-right National Democratic Party).

The left and liberals have 28 members (S&D, 15; ALDE, 5; Greens, 4; GUE, 4), although given that the ALDE rapporteur appears to have a different opinion to some of his colleagues on the fingerprinting issue, it cannot be guaranteed they will all vote the same way.  Of course, the same could be said of MEPs from every other group, whichever side of the political spectrum they sit on. Anyone can find their MEP to ask them how they or their group intends to vote via the European Parliament website.^[13]

Biometric population databases?

Another pertinent issue raised by both the European Data Protection Supervisor and the Fundamental Rights Agency concerns the possibility of national governments using the new rules on gathering fingerprints for identity as a means to create national fingerprint databases. This is not simply a hypothetical concern – some years ago, after the introduction of EU rules requiring the inclusion of fingerprints in passports, the Dutch government proposed keeping them in a national database. A case on the issue eventually ended up in the Court of Justice,^[14] although not until some years after the database plans had been scrapped.

When the Court did finally examine the case, it concluded that the Regulation on biometric passports:

“must be interpreted as meaning that it does not require the Member States to guarantee, in their legislation, that biometric data collected and stored in accordance with that regulation will not be collected, processed and used for purposes other than the issue of the passport or travel document, since that is not a matter which falls within the scope of that regulation.”

The Council’s latest position on the identity cards Regulation includes a recital reflecting this view. It says that the new rules do “not provide a legal base for setting up or maintaining databases for storage of those data in Member States, which is strictly a matter of national law.”

However, some MEPs are hoping to introduce an outright prohibition on using biometric data collected for identity cards and residence documents for any other purpose:

• Cornelia Ernst wants to include articles stating that biometric identifiers “shall be stored in a highly secure manner only for the time required to produce the national identity card or residence card and shall be immediately erased and destroyed once stored in the storage medium,”^[15] and that biometric data “collected for the purposes of this Regulation shall not be stored in any, current or new, national or EU database and shall not be further processed for purposes other than those set out in this Regulation”;^[16]
• Eva Joly proposes the text: “Storage in centralised European or national databases of the biometric data collected for the purpose of this Regulation shall be prohibited.”^[17]
• S&D MEPs want to include an article clarifying that: “This Regulation does not establish a centralised database at Union level and the biometric data collected for the purpose of this Regulation shall under no circumstances be stored in national databases. Biometric identifiers outside the storage medium shall be stored in a highly secure manner only for the time required to produce the national identity card or residence cards and destroyed immediately once stored in the storage medium.”^[18]

In the context of the EU’s interoperability agenda, which seeks to connect all EU databases related to security and migration – and eventually incorporate national databases too – such safeguards are important to ensure that the rules on identity cards and residence documents do not become a back door to establish new systems. As the FRA’s opinion on the Commission’s proposal put it:

“The creation of national dactyloscopic [fingerprint] databases of all identity and residence cards holders would constitute a grave interference with the right to respect for private and family life (Article 7 of the Charter) and with the right to protection of personal data (Article 8 of the Charter).”^[19]

Child-size biometrics

The Commission’s original proposal set the lower age limit for fingerprinting at 12 years old. The Council subsequently made this a voluntary limit, which would allow national authorities to fingerprint children younger than 12 if they so wished.^[20] These provisions remain in the Council’s latest position, which remains a long way from meeting recommendations made by the EU’s data protection and fundamental rights expert bodies.

The EDPS’ opinion states that because of the “wide range and potential impact of the Proposal outlined above,” it is recommended to set “the age limit for collecting children’s fingerprints under the Proposal at 14 years, in line with other instruments of EU law.”^[21] The FRA, for its part, argued that the minimum age of 12 years should also apply to children’s residence cards, as the proposal makes no mention of a minimum age for this type of document.

In the Parliament, however, there are divergent views on the issue of the minimum fingerprinting age. MEPs from the GUE, Green and S&D groups are following the advice of the EDPS and proposing that the minimum age for fingerprinting be set at 14 years old. Those from the EPP and ECR groups, meanwhile, propose lowering the minimum age limit to six years. However, no MEP seems to have seen fit to take up the FRA’s recommendation to ensure that a minimum age of 12 (or, indeed, any minimum age) applies to the collection of fingerprints for residence documents.

A number of other important issue are also yet to be decided – for example, the question of more robust safeguards for children whose biometric data is taken; the possible inclusion of provisions to ensure that gender-sensitive procedures are employed in taking biometrics; the time limits for the Commission to perform an evaluation of the proposals and precisely what the scope of that evaluation should be.

Fingerprints in identity cards and residence documents: in with a whimper?

While their MEPs may be opposing the Commission and Council stance on including fingerprints in identity cards and residence documents, the S&D, ALDE and Greens/EFA groups are not making much noise about the topic. Indeed, in the context of the increasing deployment of biometric technologies throughout society – from mobile phones, to workplaces, to banks and beyond – it may seem as though debating the merits of the state gathering individuals’ biometric data is somewhat passé.

However, the increasing use of biometric technologies by both public and private bodies is precisely why their use should be subject to increased scrutiny. Handing over a digital copy of your face, fingerprint, iris (or any other physical feature) to the government, a corporation or any other institution should not be taken lightly. This is all the more so when the organisation proposing that you place a copy of your fingerprints in a personal identity document – in this case, the European Commission – has not even offered a justification to back up its proposal. The proposal to store fingerprints in all national identity cards and residence documents across the EU remains both unjustified and unnecessary.

Chris Jones

Endnotes

[1] ‘Proposal for a Regulation on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement’, COM(2018) 212 final, 17 April 2018, http://www.statewatch.org/news/2018/apr/eu-com-security-union-identity-cards-residence-docs-com-2018-212.pdf

[2] Chris Jones, ‘Fingerprints in identity cards: unnecessary and unjustified’, Statewatch Analysis, June 2018, http://www.statewatch.org/analyses/no-331-biometrics-for-identity-cards.pdf

[3] European Data Protection Supervisor, ‘Opinion 7/2018 on the Proposal for a Regulation strengthening the security of identity cards of Union citizens and other documents’, 10 August 2018, https://edps.europa.eu/sites/edp/files/publication/18-08-10_opinion_eid_en.pdf

[4] Fundamental Rights Agency, ‘Fundamental rights implications of storing biometric data in identity documents and residence cards’, 5 September 2018, http://fra.europa.eu/en/opinion/2018/biometric-id

[5] Meijers Committee, ‘Comments on a European ID card’, undated, https://www.commissie-meijers.nl/sites/all/files/cm1811_comments_eu_id_card_0.pdf

[6] Centre for Strategy and Evaluation Services (CSES), ‘ Study to Support the Preparation of an Impact Assessment on EU Policy Initiatives on Residence and Identity Documents to Facilitate the Exercise of the Right of Free Movement’, August 2017, pp.72-4, https://ec.europa.eu/info/sites/info/files/dg_just_final_report_id_cards_and_residence_docs_cses_28_august_2017_2.pdf

[7] Draft report on the proposal for a Regulation on the strengthening the security of identity cards, 12 September 2018, http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+COMPARL+PE-627.780+01+DOC+PDF+V0//EN&language=EN

[8] Amendments 69-205 to the draft report on strengthening the security of identity cards, 11 October 2018, http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+COMPARL+PE-628.630+01+DOC+PDF+V0//EN&language=EN

[9] As explained in the EDPS opinion: “45. …fingerprint recognition technologies can be divided in three classes:

• those that store and compare images of fingerprints
• those that store and compare minutiae, a subset of the characteristics extracted from fingerprint images
• those that store and compare patterns extracted from fingerprint images.

46. …There are standards that allow fingerprint recognition systems of different vendors to be interoperable amongst their class, but the fingerprint recognition systems are not interoperable between classes.

47. Storing fingerprint images allows the calculation of subsets of its characteristics while the opposite is not possible. Having the image of the fingerprint stored in the documents chip allows Member States that opted for any class of fingerprint recognition technology to use the biometric data. However, if the chip stored a minutiae, a Member State that deployed an image based fingerprint technology could not use the biometric data, as fingerprint images can’t be obtained from minutiae. At the same time, in case of a security breach the fingerprint image stored on a lost or stolen identity document could be accessed by criminals and used to cast a fake set of fingerprints allowing to impersonate the identity card owner.

48. The EDPS understands that storing fingerprint images enhances interoperability, but at the same time it increases the amount of biometric data processed and the risk of impersonation in case of a personal data breach. Therefore, the EDPS recommends to limit the fingerprint data stored on the documents chip to minutiae or patterns, a subset of the characteristics extracted from the fingerprint image.”

[10] Amendment 114

[11] Amendment 195

[12] This was a measure agreed by the Commission and the Council in the midst of the EU’s supposed “refugee crisis” to try to ensure that Italy and Greece fingerprinted every asylum-seeker arriving on their territory. See: ‘COMPULSORY FINGER PRINTING OF MIGRANTS’, Statewatch News Online, July 2015, http://database.statewatch.org/article.asp?aid=35227; and ‘Fingerprinting by force: secret discussions on "systematic identification" of migrants and asylum seekers’, Statewatch News Online, March 2015, http://database.statewatch.org/article.asp?aid=34677

[13]http://www.europarl.europa.eu/meps/en/map.html

[14] The judgment and analysis are available here: ‘Biometric data and data protection law: the CJEU loses the plot’, April 2015, http://database.statewatch.org/article.asp?aid=34832

[15] Amendment 181

[16] Amendment 182

[17] Amendment 183

[18] Amendment 171

[19] Fundamental Rights Agency, ‘Fundamental rights implications of storing biometric data in identity documents and residence cards’

[20] ‘Biometrics in identity cards: the Member States want to fingerprint children’, Statewatch News Online, 26 August 2018, http://www.statewatch.org/news/2018/aug/eu-id-cards-council.htm

[21] A reference is included in the EDPS opinion to the provisions of the Eurodac database of asylum-seekers’ fingerprints. The age limit for that does currently stand at 14, although a new proposal under negotiation would reduce it to six. The same unfortunate proposal has been made regarding the taking of fingerprints for the Visa Information System. See: ‘All visa applicants to be profiled and children fingerprinted for revamped Visa Information System’, Statewatch News Online, 17 August 2018, http://www.statewatch.org/news/2018/aug/vis-profiling-child-fingerprinting.htm