Title: VULNERABILITIES

Vulnerabilities

Identification Processes

As stated before, Belgians have an obligation to carry their identity card, and this as of the age of fifteen. A Royal Decree of 1985 specifies in which cases the identity card has to be shown or submitted: (i) upon request of the police, (ii) when filing a notification (‘aangifte’), (iii) upon each request for certificates (‘getuigschriften’), and (iv) in general, each time the holder has to submit evidence of his/her identity, and (v) to the bailiff who shall serve a writ (of summons) or to persons who shall serve a copy thereof. The Belgian Privacy Commission has stressed that in all other cases an individual can in principle only be obliged to show or submit his/her identity card if this is necessary for the execution of a legal obligation.

Several legal provisions explicitly refer to the necessity to submit the identity card. In the context of actions against money laundering, credit card companies, leasing companies and a large group of other financial institutions are by law obliged to request their clients, under particular circumstances, to submit their identity cards for proper identification and to keep a photocopy. This requirement is also applicable to a large group of other professionals, publics, who shall also duly identify the individuals who appear before them by checking their identity on the identity card.

Operators of electronic communication networks and services are in principle also obliged to be able to identify their customers. For that purpose, they request from their customers a copy of their identity card, for example when applying for an Internet connection. A similar practice is applied by utility companies.

These legal provisions which require the aforementioned companies and public servants to verify the identity should have the benefit of making it more difficult for criminals to act in or to abuse someone else’s name when applying for these services. On the other hand, individuals get used to submitting their identity card to obtain services in the private sector and may become willing to provide their identity details voluntarily for other services, even in case this may not be necessary. Criminals will take advantage of this attitude. Opponents of the eID card will even argue that it becomes easier to copy the personal data of the identity card with (unauthorized) smart card readers.  

The use of a central unique personal identification number

The personal identification data of citizens in Belgium are centralized in a national database, the National Register (‘Rijksregister’). The central registering, the memorizing and the communication of personal data about the identification of persons

All persons who are registered in the National Register are identified by the government for administrative purposes with a central unique personal identification number, called the National Register Number (‘Rijksregisternummer’). The National Register Number is intended to be a unique identifier which links persons to personal information relating to them and kept by governmental services. It contains references to date of birth. This National Register number is also mentioned on the eID and in the certificates of the eID. Access to the National Register and the use and processing of the National Register number however is restricted and requires authorization. These strict rules on the use of the National Register number have as a side-effect that for persons not authorized to use the number, it is more difficult to verify the correctness of identity-related data. Companies and persons who are merchants or exercise a liberal profession are also identified by the government by a unique personal identification number, the so-called Company Number (‘Ondernemingsnummer’).

These unique personal identification numbers conferred by the government allow the government and an increasing number of parties authorized to access and use the number to identify natural persons (and companies) in a reliable way (for example by avoiding errors because of similar names, etc). The number also permits the users to update and access the personal information of citizens in an efficient way. The number further facilitates the exchange of personal information amongst several departments of the government. Arguments against the use of the unique personal identification numbers are the risks of linking personal information processed in distinct databases which could lead to major risks for the privacy of citizens.

The unique personal identification numbers however could also be abused by criminals. This risk is increased by the fact that the National Register Number is also mentioned on the eID, and because the identity and the signature certificates on the eID become visible if the eID is used for electronically signing or identifying in private transactions. The government is to some extent aware of this risk and is for this reason considering the creation and deployment of different unique identification numbers for other privacy-sensitive information kept by the government, on the Be-Health platform for example.