6.8.2008   

EN

Official Journal of the European Union

C 200/1

1.

On 18 October 2007, the European Commission submitted a Proposal for a Regulation (hereafter ‘the proposal’) to the European Parliament and the Council aiming at amending Regulation (EC) No 2252/2004 (1). The European Data Protection Supervisor (EDPS) was not consulted about this proposal, although, according to Article 28(2) of Regulation (EC) No 45/2001, the Commission shall consult the EDPS, when it adopts a legislative proposal relating to the protection of individuals' rights and freedoms with regard to the processing of personal data.

2.

The EDPS regrets that the Commission did not comply with its legal obligation to consult him and expects to be consulted in the future on all proposals falling within the scope of Article 28(2). The EDPS has decided to issue an opinion at his own initiative. In view of the mandatory character of Article 28(2), the present opinion should be mentioned in the preamble of the text.

3.

The background of the proposal is as follows. On 13 December 2004, the Council adopted Regulation (EC) No 2252/2004 on security standards and biometrics for passports and other travel documents issued by Member States in order to introduce biometric data in passports. Together with security elements, biometric data aim at strengthening the link between the passport and the holder of this document. On 28 February 2005, the Commission adopted the first part of the technical specifications (2) which relate to the storage of the facial image of the holder on a contact-less chip. On 28 June 2006, the Commission adopted a second Decision (3) relating to the additional storage of two fingerprints on the passport chip.

4.

In view of harmonising exceptions to the biometrics passport, the proposal has added the following measures: children under the age of 6 years are exempted from the obligation to give fingerprints, and persons who are physically unable to give fingerprints should be also exempted from this requirement.

5.

Additionally the proposal introduces the obligation of ‘one person — one passport’ which is described as a supplementary security measure and additional protection for children.

6.

The EDPS welcomes the fact that the Commission took into account the point related to fallback procedures, stated in his previous opinions, as mentioned in the explanatory memorandum of the proposal.

7.

The EDPS regrets that the Commission did not conduct an impact assessment on this proposal. It is unclear therefore how the Commission was in a position to properly evaluate necessity and proportionality of the proposal in relation to data protection issues without the support of a rigorous impact assessment. Such an analysis should not be limited to the cost triggered by new measures and could benefit from similar issues already raised in the context of other proposals like the one on the review of the Common Consular Instructions (4). The lack of impact assessment also underscores the need for reviewing the age limit indicated in the proposal as it is further explained in part 2.1 of this opinion.

8.

The EDPS recognised at several occasions the advantages provided by the use of biometrics, but also stressed that these benefits would be dependent on stringent safeguards being applied. In his opinion on SIS II (5), the EDPS proposed a non exhaustive list of common obligations or requirements which need to be respected when biometric data are used in a system. These elements will contribute to avoid that the passport holder is to carry the burden of system imperfections, such as the impact of misidentification or failure to enrol.

9.

Therefore, the EDPS supports strongly the proposal of the Commission to introduce exemptions from giving fingerprints based on the age of the person or his/her inability to give fingerprints. These exemptions are part of the fallback procedures that should be implemented. The EDPS also welcomes the effort of the Commission to adopt a coherent approach in different instruments dealing with similar issues as a proposal for exemption has been also introduced in the proposal for reviewing the Common Consular Instructions.

10.

However, the EDPS still considers these exemptions unsatisfactory, as they fail to address all the possible and relevant issues triggered by the inherent imperfections of biometric systems, and more specifically those related to children and elderly.

11.

In the explanatory memorandum of the proposal, the Commission refers to pilot projects in some Member States which have underlined that fingerprints from ‘children under the age of 6 seemed not to be of a sufficient quality for one-to-one verification of identity’. However, little or no information is available on these pilots and the circumstances in which they have been conducted; what ‘sufficient quality’ means has been neither explained nor defined until now.

12.

According to the EDPS, the age limit for children in giving fingerprints should be defined by a consistent and in-depth study which is to identify properly the accuracy of the systems obtained under real conditions, and which is to reflect the diversity of the data processed. The pilot projects as such do not provide sufficient information on which fundamental choices of the Community legislator can be based.

13.

The EDPS already underlined the need for such a study prior to any age limit definition in his opinion (6) on the proposal for a Regulation amending the Common Consular Instructions. Neither the available scientific literature nor the previous impact study conducted by the Commission in the frame of the Visa Information System proposal (7) presented conclusive evidence on a solidly based age limit for children.

14.

The EDPS recommends therefore that the age limit selected in the proposal should be considered as a provisional one. After three years, the age limit should be reviewed and supported by a large scale and in-depth study. Considering the sensitiveness of biometric data, as well as the competitive dimension of biometric systems, the EDPS suggests that this study should benefit from the management of a single European institution which has clear expertise and test-bed facilities in this field (8). All relevant stakeholders from industry to member states authorities should be invited to contribute to the study.

15.

Before the age limit is clearly defined by this study and in order to avoid any hazardous implementation, the EDPS recommends that the applied limit corresponds to those already adopted for large populations in the Regulation on the Eurodac system (9) related to the asylum seekers (the age limit for collecting children's fingerprints is 14 years) or the US Visit programme (10) (also 14 year age limit). These limits could be even slightly lower as the use of biometric data is strictly limited to a verification process (one to one comparison) according to Article 4(3) of Regulation (EC) No 2252/2004. Indeed, fewer errors are usually produced by such a process compared to an identification process (1 to n comparison) which presents higher error rates.

16.

The imperfections of fingerprint systems do not only concern younger children but also the elderly. It has indeed been demonstrated that accuracy and usability of fingerprints decrease as people grow older (11) and aspects of convenience and ergonomics are also especially relevant. Following the reasoning for the age limit of children, the EDPS recommends that an age limit for elderly which can be based on similar experiences already in place (US Visit has a limit of 79 years) is introduced as an additional exemption. The quality of elderly fingerprints for enrolment and matching processes will also have to be part of the study suggested earlier.

17.

Finally, the EDPS recalls that these exemptions should in no way stigmatize or discriminate those individuals who will be exempt, because of their age as a precautionary principle or because they present obviously unreadable fingerprints.

18.

As it is explained on the website of the International Civil Aviation Organisation (ICAO), the recommendation for a ‘one passport-one person concept’ (12) has been drafted mainly as a possible solution for solving lack of standardisation regarding family passports and the emergence of machine readable passports. The EDPS recognises that this concept could, as an additional benefit, contribute to the fight against child trafficking. However, the main purpose of a passport is to facilitate the travel of European citizens and not to fight against child abduction for which additional concrete and efficient measures are developed.

19.

According to a recent study (13), most of the risks of trafficking or abduction target minors travelling alone. It is clear that for this category, having a personal travel document constitutes an additional protection. However, it has to be underlined that according to the International Air Transport Association (IATA), children below the age of 6 are not allowed to travel without the person who has the parental authority.

20.

In the explanatory memorandum of the proposal, the Commission illustrates the need for this security measure with an example of a parent and kids registered in the same passport and the fact that biometric data of the children would not be stored in the chip, but only those of the parent. It has to be underlined that for children who are below the age limit proposed by the Commission, their biometric data will in any case not be stored in the passport. In this case, the burden of the additional cost and procedure for the parents, as well as the additional collection of personal data related to the children, seem to be excessive considering the possible added value offered by this principle.

21.

It has to be underlined as well that making access to or enrolment of data technically feasible (by providing a biometric passport to children who are exempted) becomes, in many cases, a powerful drive for de facto acceding or collecting these data. One can safely assume that technical means will be used, once they are made available; in other words, it is sometimes the means that justify the end and not the other way around. This can lead to subsequent demands for less stringent legal requirements (and lower age limit) to facilitate the use of these technical availabilities. Legal changes could then only confirm practices which are already in place.

22.

The EDPS recommends that the principle of ‘one person-one passport’ is applied only to children who will be above the age limit proposed by the Commission or the one which will be reviewed and confirmed by the study mentioned earlier.

23.

The issuing of passports in the Member States of the EU is dealt with under the national law of those Member States. National law requires the presentation of various documents, such as a birth certificate, citizenship certificate, family book, parental authorisation, driving licence, utility bill, etc. These documents are usually called ‘breeder’ documents, as passports may stem from them.

24.

There are wide differences between the laws of the Member States of the EU in this respect. The way ‘breeder’ documents are produced in the Member States as well as the documents which are required for the delivering of a passport show a great diversity of situations and procedures, which are bound to decrease the quality of data in passports and even to foster the risk of identity theft.

25.

Usually enjoying less security features, the ‘breeder’ documents are more likely to be subjected to forgery and counterfeiting as opposed to an enhanced passport using biometric data protected by PKI systems.

26.

Although the EDPS welcomes the objective of the Commission to enhance passport's security measures, he would like to stress that the passport is only one link of a security chain starting from these ‘breeder’ documents and ending at the border check points; and that this chain will only be as secure as its weakest link. The EDPS therefore recommends the Commission to propose additional measures for harmonising the way in which ‘breeder’ documents are produced and which of them are required for a passport.

27.

According to an in-depth survey (14) conducted by the Article 29 Data Protection Working Party at the request of the LIBE committee of the European Parliament and focused on the implementing practices as regards as Regulation (EC) No 2252/2004, several Member States have foreseen the implementation of a central database for storing the biometric data of the passport. Although it is possible for the Member States to implement only a verification procedure of biometric data using a centralised database, as it is strictly limited to in the Regulation, this option presents additional risks regarding the protection of personal data, such as the development of further purposes not foreseen in the regulation, or even fishing expeditions into the database which will be difficult to mitigate (15).

28.

The EDPS recommends the Commission to propose further harmonisation measures in order to implement only the use of decentralised storage (in the wireless chip of the passport) regarding biometric data collected for EU Member States' passports.

29.

The Commission's Decision (16) of 28 June 2006, C(2006) 2909, defined only the format and the quality of the fingerprint images which should be processed as well as the way in which they have to be protected (Extended Access Control). There is no indication in the proposal either on the possible Failure to Enrol Rate (FER) and the rates related to the matching process. The proposal has indeed foreseen fallback procedure for young children (age limit), but the threshold which indicates when fingerprints are not good enough for being enrolled is not defined.

30.

Regarding the matching process, the proposal failed also to define which False Rejection Rate (FRR) should be applied at the border and how to deal with persons who have been apparently falsely rejected. This lack of uniform rates could lead to different processes of biometric data of EU citizens, depending on the border the person would select for entering the Schengen area, and could thus result in a lack of equal treatment of European citizens regarding the residual risk of biometric systems. Because the process is a one to one verification, the EDPS recognises that the FRR will be lower than the one applied for an identification process and there will therefore be fewer cases to deal with. However, fallback procedures need also to be defined in a harmonised and satisfactory way for those persons.

31.

The EDPS recommends the Commission to propose common rates for the enrolment and matching process completed by fallback procedures together with the Member States' authorities.

32.

The proposed amendments to existing rules on standards for security features and biometrics in passports and travel documents issued by Member States, give rise to similar issues as raised in previous opinions, although the EDPS welcomes that the need for fallback procedures has now been taken into account.

33.

The EDPS also welcomes the introduction of exemptions based on the age of the person or his/her ability to give fingerprints, as well as the effort to adopt a coherent approach in different instruments dealing with similar issues.

34.

However, the EDPS still considers these exemptions unsatisfactory, as they fail to address all the possible and relevant issues triggered by the inherent imperfections of biometric systems, and more specifically those related to children and elderly.

35.

The age limit for children should be defined by a consistent and in-depth study which is to identify properly the accuracy of the systems obtained under real conditions, and to reflect the diversity of the data processed. This study should be executed by a European institution with clear expertise and adequate facilities in this field.

36.

Before the age limit is defined by the study and in order to avoid any hazardous implementation, the provisional limit should correspond to those already adopted for large populations, either in the Eurodac system or the US Visit programme (age of 14 years), or be slightly lower since only in the context of a verification process.

37.

An age limit for elderly, which can be based on similar experiences (US Visit: age 79), should be introduced as an additional exemption. Such exemptions should in no case stigmatize or discriminate the individuals concerned.

38.

The principle of ‘one person-one passport’ should be applied only to children above the relevant age limit.

39.

In view of the existing diversity under national laws as to documents required for the issuing of passports, the Commission should propose additional measures to harmonise the production and the use of such ‘breeder’ documents.

40.

The Commission should also propose further harmonisation measures in order to implement only the decentralised storage of biometric data collected for Member States' passports.

41.

Finally, the Commission should propose common rates for the enrolment and matching process completed by fallback procedures together with the Member States' authorities.