D3.10: Biometrics in identity management

Title: SITUATION IN SOME SELECTED COUNTRIES

As stated above in the introduction to this section, we will discuss hereunder briefly the present situation with regard to the legal treatment of biometric systems in some selected countries in the EU. Overall, if one takes a look at the results of the application of the present legal framework upon biometric applications, it appears that Member States, and more in particular the national DPAs, have a considerably large ‘margin of appreciation’ in pronouncing whether specific biometric systems are in conformity or not with the Directive 95/46/EC and the legal provisions of their countries.

The pronouncements of the DPAs on the use of biometrics, to which we will refer below, relate primarily to the situations where the controller has requested a preliminary opinion on the deployment of a biometric application. In France, it has become mandatory since 2004 to request such opinion, which is de facto an authorisation to be obtained, before the start of the processing of biometric data. France is hereby one of the few countries that has acted proactively to the emerging trend of the use of biometric data by imposing such prior authorisation.

The ‘margin of appreciation’ is a concept deferring to a legislator, an administrative or judicial body or another authority, the possibility to have varying views on matters and to appreciate these in different ways, for example, with regard to the choice of the use of means or to what extent a restriction upon the fundamental right to privacy by the deployment of biometrics is ‘necessary’. The concept will be further explained in section . The ‘margin of appreciation’ of the DPAs is considerable as will be shown below, and may even lead to conflicting opinions in different Member States on very similar biometric applications.

In biometrics, such margin of appreciation of the national DPAs is in our view enhanced because the national data protection laws contain in most countries no specific provisions or criteria on the processing of biometric data. Hence, the DPAs applying the general national data protection laws effective in their country use different criteria which results in diverging views. 

We will limit the description of the legal treatment of biometrics to some selected countries of the European Union, in particular Belgium, the Netherlands, France and the United Kingdom. 

Belgium 

In Belgium, the general data protection law of 8th December 1992, as modified, (hereinafter the ‘Data Protection Act’) is in principle applicable to the collection and processing of biometric data. The Data Protection Act, however, does not contain specific provisions which mention biometric data as such.

In the annual report of 2005 of the national Data Protection Authority (DPA), the DPA discusses the use of biometric data in the context of a request for an opinion about an access control system. The DPA also refers to biometrics in relation with the developments in Europe with regard to the installation of a visum information system (VIS), the new passports and travel documents and the second generation of the Schengen information system (SIS II).  

The Belgian DPA stated in this report, which discusses an opinion that was rendered by the DPA in 2005, that an access control system for a dancing club permitting the identification of the customers by collecting and storing fingerprints in a data base was excessive. The DPA stated that ‘the fingerprints have to be considered ‘biometric data’ and have to be used in a careful way’. It further stated that ‘the processing of such data shall be evaluated by the usually applicable texts, taking into account the higher risk of breaching the privacy that this method in some cases entails’. The DPA stressed that ‘in view of what has been said above, [ ] the evaluation of the proportionality of the use of such data taking into account the envisaged purpose [shall] be decisive’[emphasis added]. The DPA further reasoned that fingerprints shall only be used if this is ‘absolutely necessary’ for the control of the identity. The dancing club argued that young people were not always carrying an identity card and that therefore the use of fingerprints was necessary. The DPA reminded that in Belgium there is a legal obligation to carry an identity card, and that the dancing club could therefore require carrying and showing of such a card. The DPA stated that, in addition, the dancing owner had the possibility to introduce a ‘membership card’ with a picture ID, which would also permit to control the identity at the entrance. Such membership card would render the use of more extreme means such as the use of biometric data, superfluous.

The discussion of the opinion in the annual report shows that the proportionality principle to which the DPA refers is a main criterion which the DPA applies in its decision on the use of biometrics. The DPA hereby referred to Article 4, §1, 4° of the Belgian Data Protection Act which requires that the data shall be ‘adequate, relevant, useful and not excessive (…) taking into account the purposes for which they are collected or processed’. The importance and the meaning of this principle will be further discussed below.

In the same report, the DPA explicitly referred to several opinions of the Article 29 Data Protection Working Party in which biometric data was discussed. With regard to the data in VIS, the DPA repeated the concern of the Article 29 Data Protection Working Party for additional guarantees for the processing of biometric data. In connection with the passports and travel documents, the DPA stressed that the use of biometric data in these documents entail several ethical, legal and technical questions. For SIS II, the DPA pointed again to the position of the Article 29 Data Protection Working Party and that the proportionality principle should be the guiding principle for adding new functionalities to the system, such as the introduction of biometric data. The use of biometric data for purposes of identity control shall be strictly limited to situations, provided for by law, where such use is absolutely necessary (including in the interest of the data subject) and accompanied with appropriate safeguards.

France 

In France, the general data protection law N° 78-17 of 6th January 1978, as modified, (hereinafter the ‘Act N° 78-17’) mentions explicitly biometric data. The Act N° 78-17 requires since a modification of the Act in 2004 that the automated processing of biometric data for identity control must receive the prior authorisation of the DPA (Article 25, I, 8°). Referring to the wording of this Article 25, it is not entirely clear from the text whether the use of biometric data for verification purposes (1:1) would also fall under this article. If this would not have been the intention of the legislator, the use of biometric data for verification would then only be subject to the requirement of notification (‘déclaration’) prior to the start of the processing.  The DPA however seems to take a different position (see below).

The DPA may also issue an ‘unique authorisation’ (‘decision unique’) for the data processing which include biometric data and which have a same purpose, contain the same categories of personal data and have the same (categories of) receivers as set forth in the unique authorisation which the DPA proclaims (Article 25, II). If a controller esteems that the data processing of the biometric data meets these criteria, he shall send a ‘letter of conformity’ to the DPA stating that the data processing complies with the description in the unique authorisation.

The processing of biometric data necessary for the ‘authentication’ or the identity control for the government needs to be authorised by an ordinance in execution of the law after the DPA has rendered its opinion which shall be public and motivated (Article 27, I, 2°). 

Before this change in law, the DPA was consulted several times with regard to the deployment of biometrics.

In an opinion of 23rd April 2002, the DPA advised in a positive way on the deployment of three biometric characteristics (fingerprint, iris or hand geometry) for access control of employees to the security area of the airports of Orly and Roissy. The opinion related to a trial project and seemed to imply also a central database. At the same time, the DPA was very sceptical about the use of biometric fingerprints for access control purposes by an employer, stored in a central database, unless the use of these biometrics was necessitated by an undisputable security objective. The DPA approved in 2004 the final project for the use of a fingerprint stored on a token held by the employees of the airports of Orly and Roissy for verification purposes for access control to the security zone of the airport. The project for which the opinion was asked was in fact the continuation of the trial on which the previous mentioned opinion in 2002 was given. By decision of 8th April 2004, however, the DPA refused to give a positive opinion on an access control system for time and attendance control of employees in a hospital in Hyères.

Since the modification of the data protection legislation in France as described above, the DPA has issued so-called ‘unique authorisations’ with regard to the processing of specific biometric data for specific purposes. In one such authorisation, the use of fingerprints for access control is accepted if the biometric is stored on a token (smart card or USB token) held under the control of the employee. The other unique authorisations relate to the use of hand geometry of pupils for access to a school restaurant and the use of hand geometry for access control and time and attendance control of employees.

In a communication on its site in early 2007, the DPA stressed again that an authorisation is required for the processing of biometric data. It also stated that until that date, the DPA has given no authorisations so far or has not conferred to any processing the ‘CNIL label’.

In this communication, the DPA clarified its position as fingerprints should always be stored on an individual support. Its position is based on the consideration that fingerprints leave tangible traces on objects and in places where people have been. Fingerprints can easily be used for person identification and linked with other personal data if accessible in databases. This must be avoided, and as such use of fingerprints is not proportionate with the privacy risks such as being identified. According to the French DPA, other biometric characteristics which leave no persistent traces, such as iris or hand geometry, are less intrusive and therefore pose less problems under the proportionality principle.

The statement of the DPA on its website early 2007 that an authorisation for the use of biometrics is always necessary seems somewhat unclear. If biometrics are stored on an object under the control of the individual involved, such biometric is in principle used for verification purposes (on the term verification, see also sections and ). As stated above, is is unclear whether the French legislation only requires an authorisation when the biometrics are used for identification purposes. If the term ‘identification’ is used in the proper sense of comparison with a database (1:N), which is not possible in the case of the exclusive storage on a local object, one could argue that a prior authorisation would in the case of exclusive storage on a personal document or smart card not be required further to this Article 25. Only a notification would be necessary and the DPA could then always verify the functionality, the proportionality and the legitimacy of the processing after such notification. It is therefore desirable that the meaning of Article 25 and the interpretation by the French DPA be further clarified.

In June 2007, the French DPA stated on its website that since early 2007, it had examined more than 200 requests for authorisations for biometric systems and that it used more than 30 % of its control resources for the inspection of biometric systems. Therefore, the French DPA urged for more resources.

The French National Consultative Ethics Committee for Health and Life Science, which published an opinion on Biometrics, identifying data and human rights in April 2007, had already called for more support for the French DPA. The Committee said that ‘(…) measures protecting the freedom of citizens must be supported by independent structures designed to fight the possibility of technocratic, economic, police and political abuse in connection with the use of biometric data. CNIL, which is an example in France of a body meeting such criteria, should have its status and resources enhanced in order to improve its efficacy and independence.(…)’.

The Netherlands 

In the Netherlands, the general data protection law of 2000, as modified, (hereinafter the ‘Data Protection Act’) is in principle applicable to the collection and processing of biometric data. The Data Protection Act, however, does not contain specific provisions which mention biometric data as such.  

The DPA has paid attention to the issues of biometrics and its opinion has been requested several times. In 2001, the DPA was asked to advice on the bill to change the passport legislation in order to introduce biometrics. Other opinions which are relevant for the use of biometrics include an opinion on the use of face recognition and the use of biometrics for access control to public events, combined with use for police investigations. Another opinion relates to an access control system which was (at least) similar (or identical) to a system that was also reviewed by the DPA in Belgium.

In 2001, the Dutch DPA was asked its opinion on an access control system named ‘VIS 2000’ with biometrics intended for use by restaurant owners and sport centres. The system would be used for access control, marketing and management purposes and the storage of a ‘black list’ of customers who ‘misbehaved’ in one of the establishments who installed VIS 2000 (restaurants, sport centres, dancing clubs,…). The system provided for the storage of the templates of the fingerprint and the face. The templates of the face were also stored in a central database, combined with the membership card number and a code for the ‘misbehaviour’. The card number could be linked with the identity of the visitor/members communicated at the moment of issuance of the card. The biometric data were also stored on a smart card, and used for membership verification when entering the club. When entering the club, there was in addition a check made with the black list of persons who misbehaved, one of the main purposes of VIS 2000. The biometrics were hence used for the purposes of verification (1:1 check, comparing whether the holders of the membership cards were the owners of the card) and of identification (1:N check, comparing whether the holders were not yet registered in the central database of VIS 2000). In the case of past incidents, the biometric characteristics were also used for the identification of troublemakers (discovery of the ‘civil identity’ (see above, section ) by reverse-engineering the stored templates of the face to images, comparing the images with the images of the troublemakers taken by surveillance cameras and connecting the templates with the name, address and domicile data if a membership card was issued. The purposes of VIS 2000 were named as to increase the security of the other visitors and employees at the clubs, to maintain order and to refuse access to unwanted visitors.

The DPA stated in its opinion that the use of biometric data for access control purposes is far-reaching and that it should be evaluated whether the use of biometric data is in proportion with this purpose. The DPA checked the collection and use of the biometric data against several obligations of the Data Protection Act. It should be noted, however, that the DPA did not investigate thoroughly the proportionality of the use of the biometrics as described above. The DPA did not discuss whether there are other, less intrusive means to maintain order and to refuse troublemakers to the club at their next visit without storing biometrics in a central database. As there is a membership requirement in some cases, the DPA could have suggested for example, that it was sufficient to withdraw the membership card from troublemakers after an incident and to restrict access to those individuals who hold a membership card with picture. Such membership cards could then be issued after a control of a central list, which mentions previous applications and/or suspensions, but without biometrics.

In this opinion, the DPA explicitly recognises the possibility to reconstruct from the template of the face the original scanned facial image based on the algorithm used. It is acknowledged by some that templates of the face can be easily reverse-engineered to the images. This is an important factor in the evaluation in biometrics. This reverse-engineering of the templates was one of the main functionalities of VIS 2000 to identify troublemakers. This technical feature, however, has important consequences. It implies that the face scan at all times may contain information about someone’s race, which shall in principle not be processed. The Dutch Data Protection Act contains an explicit exception to this prohibition of processing of this information, in particular, when such processing is used for the identification of the person and to the extent such is necessary for this purpose. The DPA considered it inevitable that use is made of templates of the face (containing information about race) for the identification of troublemakers. As stated above, the DPA does not make a proportionality test about the use of biometric data, and seems to mistakenly consider the test about the necessity to use information about race as sufficient.

The DPA continues that the use of personal data for marketing purposes should not include biometric data and that the processing for this purpose should be separated from the other purposes. The DPA concludes its opinion with several recommendations, including with regard to the term of storage and security (requirement for encryption of the templates and membership card numbers) and for the operation of the biometric system. The DPA also requested that any VIS 2000 systems already installed would comply with these requirements.

The divergence of the outcome of this opinion of the Dutch DPA is interesting as compared with the evaluation, comments and conclusion of the Belgian DPA with regard to a similar system (see above). As mentioned above, the Belgian DPA reported in its annual report of 2005 that it rendered a negative opinion on a similar system. It considered the use of biometric characteristics for access control for a dance club not proportionate with such a purpose. More particular, the Belgian DPA found the use of biometrics for identification purposes (as explained above, in section disproportionate and entailing risks for the privacy of the visitors.

The United Kingdom  

In the United Kingdom, the Data Protection Act 1998, which came into force in March 2000, (hereinafter the ‘Data Protection Act 1998’) is in principle applicable to the collection and processing of biometric data. The Data Protection Act 1998, however, does not contain specific provisions which mention biometric data as such.  

Biometric data processing, however, has been a topic of discussion as the use of biometrics for the eID card was heavily debated, discussed and researched in the build-up to the voting of the Identity Cards Bill which resulted in the Identity Cards Act 2006. This Act requires all individuals over the age of sixteen to register personal details, including identity (name), address and residential status, as well as a photograph and biometrics, i.e., fingerprint and ‘other biometric information’. This information can also be provided to other persons for verification ‘or otherwise with consent’. The new legislation will also install a central register, the ‘National Identity Register’.

Biometric characteristics are also increasingly used in the private sector. It is noteworthy that there seems an increasing trend for the use of biometrics at schools. The Information Commissioner would not yet have taken position as to the use of biometrics in this context. Other applications in the private sector are trials for the use of fingerprints as approval for payment. It is interesting to note that at the website of the CESG (see above, section ), it is stated that there are currently no government approved biometric applications and that they ‘do not expect any to be available in the near future as none of the technologies have yet, in [their] view, reached the stage where [they] would be happy with them as the sole access control mechanism. The CESG does provide advice on biometrics product selection and for this purpose publishes a on its website a manual ‘Biometrics for Identification and Authentication – Advice on Product selection’ dated March 2002.

Regulation for biometrics as a primary key for interoperability ?

The role of biometrics in the ongoing efforts to create interoperability of databases in the European Union is hereunder reviewed and the question is raised whether there is an appropriate legislation in this regard. First, the history of interoperability as a policy concept is traced. Furthermore, the assumption is made that biometrics will be regarded as the most important primary key soon. Biometric identifiers are in all EU policy documents referred to as much more reliable than the a-numerical primary keys so far. However, the technical shift towards key-interoperability of biometrics still needs confirmation. The question is whether there is appropriate legislation on interoperability as of yet and if not, whether data protection legislation as the legal framework within which interoperability should be made to work will do for biometrics.  

Interoperability of European databases in the ‘First Pillar’ and the ‘Third Pillar’

Surprisingly, in the EU, the term interoperability, though used widely, cannot be defined clearly. The European Commission has tended to present interoperability as a technical concept. The 2005 Commission Communication “on improved effectiveness, enhanced operability and synergies among European Databases in the area of Justice and Home Affairs” defines interoperability as “the ability of IT systems and of the business processes that they support to exchange data and to enable the sharing of information and knowledge”. Earlier FIDIS work in the area of interoperability has concluded that “the subject of interoperability is complex and covers the whole range of issues from technical, legal, policy and cultural dimensions”. The FIDIS work has therefore been focused on addressing the diverging issues and deepening understanding, especially of the social and cultural questions.

The exact scope of the term thus remains subject to interpretation and context. In the 2006 Commission Communication on “Interoperability for Pan-European e-Government Services” interoperability was first put forward as a means to enhance the cooperation of administrations in the context of e-government. This introduction within the framework of e-government builds on earlier use of the objective of interoperability in areas within the realm of the free movement of goods, people, workers and services (the so-called First Pillar). Justice and Home Affairs (JHA) issues have been brought into the remit of the European Union much later and fall under the so called Third Pillar, which means amongst others, that decisions are taken on the basis of unanimity. It is obvious, that in the context of the original policy areas, interoperability was basically a technical issue. One technically compatible infrastructure would achieve improved effectiveness and meet the interest of EU, its business community and its citizens. However, whatever the interpretation of the concept, it cannot be denied that in the Third Pillar policy area of Justice and Home Affairs interoperability potentially has a much more intruding effect and can touch fundamental rights, and privacy and data protection issues.

The direct link between eGovernment, EU policies and interoperability is interesting. In a book on ICT and innovation, Meijer and Zouridis have argued that e-government is an innovation which may have undesired effects. They argue that the development of e-government is stagnating in many countries as a result of institutional rather than technical barriers. They point out that there is an absence of debate on competing values in e-government and note that debates tend to be framed in terms of efficient information processing. In this sense, e-government is obviously about efficiency and cooperation, but also about new structures and vehicles for domination and legitimation which need public debate. To see interoperability as an element of e-governmental organisational innovation could well be instrumental in making sense of emerging new balances between security and liberty, and changing power oppositions and relationships.

In the context of the Third Pillar, the Commission launched as stated above a first Communication on interoperability and synergy among European databases in the area of Justice and Home Affairs in November 2005. The purpose of the communication is to highlight how, beyond the present purposes, the Visa Information System (VIS), the second generation Schengen Information System (SIS II), and other databases “can more effectively support the policies linked to the free movement of persons and serve the objective of combating terrorism and serious crime”. The term interoperability is used to describe the linking of large-scale EU IT-systems such as VIS and SIS but also to describe linking or even merging of national databases (DNA and Automated Fingerprints Identification Systems (AFIS) merging into a European database). Interoperability thus refers to both the linking of large scale IT systems and to the linking of national and international databases.

Biometrics and Interoperability 

In the 2005 Commission Communication a clear link is made between biometrics and interoperability. The Commission notes with approval that the challenge of identifying persons in databases with millions of entries has been solved in Eurodac and in the VIS by using biometric searches, “allowing unprecedented accuracy”. The use of biometric information in SIS II is also applauded, except for its restricted scope: “As the SIS II is being developed today, biometrics will only be used to confirm the identification of the wanted person (wanted persons meaning “persons for whom an alert has been issued”, including persons who should be refused entry) based on an alphanumerical search. When available, biometric searches would allow more accurate identification of wanted persons. However, SIS II would only store biometric information that could be legally linked to an alert in SIS II”.

The Communication also notes that all the existing European databases, including Eurodac, are underexploited: “Although the Eurodac Regulation obliges Member States to take fingerprints of all persons aged over 14 who cross their borders irregularly and cannot be turned back, the quantity of such data sent to Eurodac is a surprisingly low fraction of the total migratory flow”. Furthermore, it is observed that there is no possibility to use asylum, immigration and visa data for internal security purposes: “In relation to the objective of combating terrorism and crime, the Council now identifies the absence of access by internal security authorities to VIS data as a shortcoming. The same could also be said for all SIS II immigration and Eurodac data. This is now considered by the law enforcement community to be a serious gap in the identification of suspected perpetrators of a serious crime”. The Communication contains numerous ‘short term scenario’ proposals to improve the use of the current databases. For instance, a more comprehensive access to VIS and SIS II by asylum and immigration authorities is proposed to allow these ‘Eurodac-authorities’ to complete the assessment of asylum applications: “Visa data can help to assess the credibility of an asylum claim and SIS II data can indicate if the asylum seeker constitutes a threat to public order or national security. A check in Eurodac, SIS II and VIS would allow asylum authorities to check the data simultaneously in the three systems”. This recommendation is followed by the suggestion to also consider the opposite move, allowing ‘authorities responsible for internal security’ to access the VIS and Eurodac data: “As regards Eurodac, the only information available to identify a person may be the biometric information contained in Eurodac if the person suspected to have committed a crime or an act of terrorism has been registered as an asylum seeker but is not in any other database or is only registered with alphanumerical, but incorrect data (for example if that person has given a wrong identity or used forged documents). Authorities responsible for internal security could thus have access to Eurodac in well-defined cases, when there is a substantiated suspicion that the perpetrator of a serious crime has applied for asylum. This access should not be direct but through the authorities responsible for Eurodac. Access to these systems could also contribute to the identification of disaster victims and unidentified bodies”.

From the above, it becomes already clear that the 2005 Commission Communication discussing interoperability was intended more as the starting point for a large political debate than as a road map with a clearly marked route and identified aim. It contained several scenarios that have since been regarded as middle- and short term objectives. One, for example, is the creation of (a) European register(s) for travel documents and identity cards with biometric identifiers. It also envisages a network linking national databases of this kind, with the purpose of checking the authenticity of travel documents, i.e. to check the identity of the traveller against the document in order to prevent identity fraud. Another scenario envisaged by the Communication is the above mentioned creation of a European Automated Fingerprints Identification System (AFIS) for criminal matters, either by establishing one large EU-wide database or by interlinking national databases.  

Elsewhere, we have called the Communication “a wish list” compiled to serve the interest of only one good, viz. security. The Communication cannot be accused of a lack of vision but, by underplaying the political dimension of interoperability, it sets an agenda without making useful distinctions between organisational, technical, and legal interoperability issues and between ordinary and more controversial applications.

Interoperability is thus much more than a technical process of interconnecting ICT-systems. It obviously has technical, semantic, social, cultural, economic, political, organisational and legal dimensions. That is why FIDIS has developed a holistic framework in order to address these diverging issues avoiding the pitfalls of a too limitative or too biased definition. Such a notion ‘can serve as an umbrella, beneath which can exist many disparate but complementary definitions, according to perspective or layer of abstraction’.

Decisions on the choices that can be made, should be informed decisions made through a political and legal process that addresses the question whether the data exchange envisaged is legally or politically possible or required. De Hert and Gutwirth have argued that it is particularly the case when there is interoperability with systems outside the EU, between law enforcement and other systems, or within the framework of intelligence led policing.

If we focus on the interoperability of biometrics in the JHA framework, we observe that the assumption is that biometrics eventually will have to become the primary key. A primary key is the basic unit of data under which all other forms of data collected are categorised and stored. We make this assumption based on the observation that biometric identifiers are expected to be much more reliable than the a-numerical primary keys used so far. De Hert and Gutwirth have stressed the distinction between interoperability of keys and interoperability of content. Traditionally content is made accessible by using alphanumeric data such as names and/or date of birth. Because of problems with spelling and accuracy, the creation of unambiguous identifiers (e.g. biometric data and social security numbers) is now considered to be a necessity by many. Here biometric identifiers are regarded as the perfect solution in the making.

The use of biometric identifiers in the context of SIS II and the Prüm Treaty support this premise. Of course, since the Council and the Commission adopted the Hague Programme in June 2005, the EU has been set on the fast track of rapid introduction of biometric identifiers in passports and travel documents. Biometrics provides unique identifiers that are regarded superior to using a-numerical identifiers such as name and first name. The use of biometric technology in combination with increased availability and interoperability of data within the European Union are heavily relied on to enhance future security in Europe. Serious concerns about the societal impact of the use of biometrics at a large scale, the underestimated financial implications, their technical feasibility, their susceptibility to large scale fraudulent use, their privacy implications, and the impact of the uncomfortable mix of the use of biometrics in civil and public sector applications have not gathered the momentum needed to put a stop to the embracing of biometrics at governmental level.

Biometrics, Interoperability and Data Protection 

Eurodac has been a test case for the debate about the massive use of biometric technology. The European Data Protection Supervisor (EDPS), in its subsequent opinions regarding the use biometrics in EU databases, has pointed out that the use of biometrics in such databases is useful, but the technology still has important drawbacks, e.g. the accuracy of fingerprints is still not sufficiently high. Therefore, the EDPS has warned in all his opinions on biometrics that all biometric identification systems are inherently imperfect and that they must hence provide for adequate fallback solutions. More fundamentally, the EDPS opposes the use of biometrics as the primary key, as it would make the merging of different databases possible with very little effort and enhanced key-interoperability is simply not a desired good for many: it trespasses a privacy-decent border and the resulting level of transparency of citizens is problematic in a democratic state keen on power-management. This is recognised as a potential problem in expert reports; at the same time it is suggested that complex technical solutions are available in the form of MOC (matching on card), BAC (Basic access Control), EAC (Extended Access Control) and new methods of matching biometrics data in irreversibly encrypted form. The current weaknesses in key management are also expected to be temporary and technical improvement eminent.

At a public hearing in the European Parliament on 2nd March 2004, European Justice and Home Affairs Commissioner Antonio Vitorino highlighted the successful work of the Eurodac fingerprint database for the comparison of fingerprints of asylum applicants and illegal immigrants, saying that out of 250,000 identifications there has not been one ‘false positive’ ID. As Eurodac is a hit/no hit European database, this great achievement might come into a completely new light when the data would become used as a key identifier, with unforeseen social, legal, political, cultural or economic implications for the individual involved. According to expert reports, all unique identifiers used as primary keys, including biometric applications, have an error-rate that is undesirable when working with large-scale applications. The technical shift towards key-interoperability of biometrics is not confirmed yet, but if it does, it will need a full public debate and an extended impact assessment as well as expert scenario research.

What is important to note is that this is not an academic discussion on the merits of technology or its legal implications: Schengen II and Prüm have introduced data searches on the basis of biometric identifiers and expectations about the accuracy of biometric data and machine readable documents are now at the heart of European Union policies, also in the area of Justice and Home Affairs. Accuracy is indeed a data protection requirement, but proportionality is it as well. Whilst the technological challenge is to produce reliable and cost effective biometric applications, the biggest challenge in legal terms is to meet the requirements of the proportionality principle. In fact, in a puritan interpretation of this principle, the legal starting point should be a situation of non-interoperability rather than interoperability.

There is no legislation on interoperability and thus data protection legislation is the legal framework within which it should be operated. For institutional reasons, the 1995 EC Directive on data protection excluded the processing of data by justice and home affairs authorities. There is now a proposal for a data protection framework for the Third Pillar. So far, all European initiatives involving any data processing by police and judicial actors have stipulated specific data protection rules, resulting in a fragmented body of regulations. Some have argued that the legal answer to the fragmentation should be one single legal framework for all databases set up under the First and the Third Pillar.

All EU countries have their own national data protection legislation too. Data protection protects a plurality of values that do not always coincide and often conflict. European data protections recognise this in different ways: Firstly, by identifying and distinguishing categories of sensible data that is submitted to tougher rules. Secondly, by imposing the collection limitation principle according to which there should be limits to the collection of personal data and such data should be obtained fairly and lawfully and, where appropriate, with the knowledge or consent of the data subject. Thirdly, by enforcing the purpose specification principle and the use limitation principle. Fourthly, the data collected and exchanged should be adequate, relevant and proportional in relation to the purpose for which they are collected (proportionality principle). As regards the latter, many observers have been quite bold when it comes to assessing the collection of biometric data in the EU. “A facet of proportionality is that the measures undertaken are urgent enough to justify such radical inroads into privacy rights. There is little or no evidence so far that biometric technology has contributed to reducing either terrorism or irregular migration as intended”. It is doubtful whether this assessment would be different when the question would be whether the policy goal of more efficient government would justify the collection of biometric data.

In his comment on the proposed framework decision on data protection in the Third Pillar, the European Data Protection Supervisor observes that neither the proposed framework decision, nor the proposal for a Council framework decision on the exchange of information under the availability principle address the sensitivity and specificities of biometric data and DNA profiles from a data protection point of view. Data protection will not do for biometrics. Data protection rules need to be supplemented with incriminations for theft and unauthorised use of biometric data. Legally, we will need to be prepared for new forms of biometric crime and thought should also go into prohibitions on unnecessary or risky use of biometrics, e.g. for ordinary financial transactions. In January 2007 a bank in Rome was robbed because of the use of a severed finger to gain entry. The severed finger was left on the pavement after the hold up. What about prohibitions for schemes such as the scheme for Maastricht coffee shop visitors or prohibitions of central stored biometrics; prohibitions of storing “raw images”, prohibitions on non-encrypted processing and transmitting of biometrical data and so forth.

Biometrics and interoperability are presented as answers to an increased security or terrorism threat, but are in fact part of a larger public sector innovation development. Instead of solely referring to biometrics and interoperability as data protection issues we should relate them to the new forms of governance in the context of ICT and public innovation. This will also help us in approaching the opportunities and problems related to the simultaneous use of biometrics by the private and the public sector.

Interoperability is therefore in fact a highly sensitive political issue as it has the potential of striking citizens right at the heart of their social, political and cultural wellbeing. To create key operability would be a political choice. The regulation of biometrics requires recognition that interoperability is a political, rather than a technical concept and merits a broad public debate. The broader aspects of interoperability should be addressed widely, particularly in cases of interoperability with systems outside the EU, between law enforcement and private systems or in intelligence led policing.