Biometrics - the EU takes another step down the road to 1984

Biometrics - the EU takes another step down the road to 1984
- biometric documents for visas and resident third country nationals to
be introduced by 2005
- biometric passports/documents for EU citizens to follow
- "compulsory" fingerprints and facial images
- data and personal information to be held on national and EU-wide
databases
- admission that powers of data protection authorities cannot cope
- no guarantees that data will not be made available to non-EU states
(eg: USA)



------------------------------------------------------------------------
----


The European Commission has produced two draft Regulations (25.9.03) to
introduce two sets of biometric data (fingerprints and facial image) on
visas and resident permits for third country nationals by 2005. The
biometric data and personal details on visas will be stored on national
and EU-wide databases and be accessible through the Visa Information
System (VIS) held on the Schengen Information System (SIS II). The
proposal is silent on whether the biometrics and data on third country
nationals will also be held on the SIS, though it is clear that national
registers of third country nationals resident in every EU member state
will be created (a long-standing demand by the German government will
thus be put into practice). That this same information will also be held
on the SIS is inevitable.

Another proposal for the inclusion of biometrics and personal data: "in
relation to documents of EU citizens, will follow later this year"

Tony Bunyan, Statewatch editor, comments:

"These proposals are yet another result of the "war on terrorism" which
show that the EU is just as keen as the USA to introduce systems of mass
surveillance which have much more to do with political and social
control than fighting terrorism.

To the proposed surveillance of all telecommunications is added the
control of movement of all visitors and third country nationals, to be
followed by that of EU citizens too. How long will it be before there
will be a compulsory EU identity card? All the data will be held on the
EU-wide Schengen Information System which can be accessed by tens of
thousands of officials - how long will it be before biometrics collected
for travel documents will be used for other purposes?

As to data protection, no new powers should be taken to collect personal
data until national data protection authorities are given proper
investigative powers and finance and the European Commission itself
demonstrates a willingness to actually enforce the 1995 Directive"



------------------------------------------------------------------------
----


The Commission's proposals are explicitly presented as a response to
"September 11, 2001" to "improve document security" in order to "detect
people who try to use forged official documents in order to gain entry
to European Union territory". What is extraordinary is that the EU
adopted two Regulations just last year (on visas - 334/2002/EC and
residence permits -1030/2002/EC) as a response to the need for security
including the introduction of photographs on both sets of documents. It
was last autumn that the Benelux countries - Belgium, Netherlands and
Luxembourg - said this was not good enough and that biometric data
should be included too. The German government backed this idea.

This proposal from these four EU member states was endorsed at the
Informal Justice and Home Affairs Ministers meeting in Veria, Greece on
28-29 March. According to the Commission document:

"Commissioner Vitorino undertook to present a proposal, at the same time
emphasising that a coherent approach should be taken in respect of all
travel documents, including the passports of EU citizens"

Mr Vitorino was echoing the views of the majority of EU governments and,
like them, used the US demand that passports had to carry biometric data
by October 2004 to try and legitimate the move - which is hardly logical
as most EU citizens will never visit the USA or indeed may not want to.

The Thessaloniki Summit under the Greek Presidency of the Council on
19-20 June endorsed the approach agreed at the Informal JHA meeting and
added that there should be a "harmonised solution" between biometric
data on travel documents and "information systems (VIS and SIS II)". VIS
is the Visa Information System which will comprise National Visa
Information Systems (N-VIS) and a Central Visa Information System
(C-VIS). The Summit Conclusions, like the Commission document, is silent
on the question of whether biometric and personal data will also be held
on the second-generation Schengen Information System, SIS II on all
resident third country nationals and EU citizens.

What is particularly objectionable about the two proposals is that the
two groups who will be affected first are resident third country
nationals who are largely migrants from the Third World and those
needing visas to enter/visit. People from most Third World - 135
countries - need visas to enter, but the "white list" or countries who
can enter without visas will not be affected - there are 33 countries on
this list, 12 of whom are EU accession/applicant countries - the
remaining 31 countries include USA, Canada, Australia, New Zealand,
Japan, Israel, Switzerland, Croatia, South Korea, Singapore, Mexico and
eight South American countries.


Fingerprints and facial images



------------------------------------------------------------------------
----

The Commission is proposing that two biometric identifiers are taken
from individuals, a digital photograph as a "facial image" and
fingerprints which will both be stored on a contactless-chip embedded in
a document. The collection and storing of the "facial image" is to be
"mandatory" to which a second biometric identifier, fingerprints are to
be added.

The Commission is clearly aware that much of the technology needed for
"facial images" is still under development while finger-printing "is the
oldest and most mature identifier". Facial images are to be used in two
forms with the choice up to member states. The simplest technology is
already available by which a "high resolution electronic portrait" is
held on the chip as a photo which can be called up to check against for
example at a border crossing. The more advanced "facial recognition
systems" check the image in the chip on the document against the
centrally-held data on a person.

The second biometric identifier, fingerprints, "should not be left to
the discretion of Member States". A feasibility study carried out by the
Commission on the VIS system recommended that all ten fingerprints
should be taken. But because the capacity of currently available
contactless chips is small only two fingerprints will be mandatory - the
error rate (wrong identification or wrong clearance) on two fingerprints
is much much higher than with ten.


The Regulation and financial impact



------------------------------------------------------------------------
----

The Commission has proposed the two new measures in the form of a
Regulation which applies across the EU to every member state and leaves
them no discretion, rather than a Directive which leaves some discretion
on its implementation. The Regulation will result in the:

"total harmonisation of the layout of such documents, and their
biometric identifier, thus leaving no room for discretion to the Member
States"

The biometric and personal data will be stored on a "64k chip" leaving
member states room to "add some alphametric data". The haste with which
the Commission's proposals have been prepared is evident when it comes
to costs: "The cost of microchip is not yet known" and they seem to be
depending on the collective demand for chips by 25 states reducing the
costs. It also appears that one-fingerprint systems are much cheaper
than for more fingers. Individuals will be expected to "enrol" (although
this "enrolment" will be compulsory) so that the two biometric images
can be captured.

This is just the start of the costs, the creation of national databases,
"enrolment equipment", "verification systems" at border posts are
others.


How is data protection is possible when the present system cannot cope?



------------------------------------------------------------------------
----

The Commission goes to great lengths to try and stress privacy and data
protection. The two proposed Regulations say that no information should
be stored on the chip unless it is covered by the "Regulation, its Annex
or unless it is mentioned in the relevant travel document". The Annex
has not yet been published and travel documents from another country
could hold, in time, additional personal data.

Although the Commission says that the data held will come under the EC
1995 Directive on data protection it also highlights the inadequacy of
the data protection regime at national level across the EU. These
authorities are "under-resourced" as the first report on the 1995
Directive found (this first report took eight years to produce). Lack of
resources "may affect independence" and there are "serious concerns"
over their ability to carry out their existing roles.

To this might to added that the powers of investigation of national data
protection authorities varies greatly from state to state, as does the
size of their staff and budget. Most are under-resourced and few have
"investigative powers" which are meaningful (ie: the power to arrive
unannounced to carry out an inspection).

Added too might be the fact that the EU has already undermined the
principles of the 1995 Data Protection Directive under the Europol-USA
agreement and the recent EU-US agreement on mutual cooperation on
extradition and judicial cooperation - and may well follow this by
conceding to US demands for access to data on airline passengers.

Sources:

1. Commission proposal for a Regulation on biometrics documents: COM
(2003) 558 (pdf)
2. EU list of countries who do and do not need visas to enter/visit:
Visa lists (pdf)
3. Statewatch broke this story on 19 June 2003: EU Summit: Agreement on
"harmonised" biometric identification linked to EU databases
4. Statewatch Observatory on Surveillance in Europe: S.O.S. Europe

To get regular updates: Join Statewatch news e-mail list
Statewatch monitors and reports on civil liberties in the European
Union: About Statewatch


Partial thread listing: