D3.6: Study on ID Documents

Title: CONCLUSION

Europe is looking for powerful tools to verify the identity of individuals and thus ensure the maintenance of a certain level of security is required. However, in the approach for a standardised use of machine-readable documents, the fundamental rights and freedoms of each person have to be considered carefully. New threats to fundamental rights but also risks for new crimes against citizens (such as identity theft) as a consequence of the deployment of machine-readable documents must be carefully taken into account.

The European Union is now developing the legal basis of an information society that will have a major impact on the identity and the personality of EU citizens and third country nationals. 

Three categories of data subjects may already be subjected to the processing of their biometrical data. Applicants for asylum and aliens apprehended in connection with irregular crossing of an external border must promptly give their fingerprint and the fingerprint will be stored in a central database for a period of respectively ten years and two years from the data on which the fingerprints were taken. Visa applicants must also provide a huge database (the VIS) with their fingerprints for a period of five years after expiry of the visa. However, the VIS database - as the Proposal is today - can be accessible by almost any public authority for almost any purpose, including the purpose of prevention, detection and prosecution of ‘serious criminal offences’. EU citizens who want to go abroad can not leave without having their face and fingerprint stored in their passport or travel document, while nor the U.S. neither the I.C.A.O. standards require the use of two biometrics and while the impact and the risks of the deployment of biometrics has not been assessed adequately yet. Moreover, the Member States themselves will decide whether the biometrical passport data will be stored in a central database: the Regulation leaves the option open and ignored hereby the amendments of the Parliament.

The European data protection and privacy frameworks apply to the Regulations but in no case this means that the Regulations are a priori compliant neither with the Data Protection Directive nor with the ECHR.

The use of biometrics as such is in the first place questioned. Biometrical identifiers are unique: once stolen, they are difficult to replace. People may not be willing to be scanned all the time, especially when they need to look into a camera or have to put their finger on a reader, as if they were criminal. The accuracy of the data and the security of processing is hardly proven and almost merely promoted by the vendors of biometrics. Biometrical data may appear to be sensitive data, which in principle may not be processed. Machine-readability of people and of their documents may turn out to be excessive, hereby surpassing the necessity and proportionality criteria set out by the European Court of Human Rights. 

The legal basis itself of the VIS and EU passport Regulations is questioned. While the VIS is in fact a ‘first pillar’ database, the Proposal provides for access possibilities by ‘third pillar authorities’ - for which normally other legal grounds than articles 62 and 66 of the TEC must be invoked. While the EU regulates its passport on the basis of standards established by non-democratic standardisation bodies (ICAO), Article 18 (3) of the TEC even excludes the adoption of provisions by the EC on passports, identity cards, residence permits or any other such document.

Eurodac, the EU passport and the VIS are subject to possible function creep that is not foreseeable. The impact of this deployment and the future of identity can - regrettably - not be entirely assessed at this moment. A step-by-step approach seems the essential requirement to safeguard the fundamental rights and freedoms.