Summary of the Opinion of the European Data Protection Supervisoron the Proposal for a Regulation strengthening the security of identity cards of Union citizens and other documents

(The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu)

(2018/C 338/12)

This Opinion outlines the position of the EDPS on the Proposal for a Regulation of the European Parliament and of the Council on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement.

In this context, the EDPS observes that the Commission has clearly chosen to prioritise the free movement aspects of the Proposal and to treat the security-related objective as corollary. The EDPS remarks that this might have an impact on the analysis of necessity and proportionality of the elements of the Proposal.

The EDPS supports the objective of the European Commission to enhance the security standards applicable to identity cards and residence documents, thus contributing to security of the Union as a whole. At the same time, the EDPS considers that the Proposal does not sufficiently justify the need to process two types of biometric data (facial image and fingerprints) in this context, while the stated purposes could be achieved by a less intrusive approach.

Under the EU legal framework, as well as within the framework of Modernised Convention 108, biometric data are considered sensitive data and are subject to special protection. The EDPS stresses that both facial images and fingerprints that would be processed pursuant to the Proposal would clearly fall within this sensitive data category.

Furthermore, the EDPS considers that the Proposal would have a wide-ranging impact on up to 370 million EU citizens, potentially subjecting 85 % of EU population to mandatory fingerprinting requirement. This wide scope, combined with the very sensitive data processed (facial images in combination with fingerprints) calls for close scrutiny according to a strict necessity test.

In addition, the EDPS acknowledges that, given the differences between identity cards and passports, the introduction of security features that may be considered appropriate for passports to identity cards cannot be done automatically, but requires a reflection and a thorough analysis.

Moreover, the EDPS wishes to stress that Article 35(10) of the General Data Protection Regulation (hereinafter ‘GDPR’) (1) would be applicable to the processing at hand. In this context, the EDPS observes that the Impact Assessment accompanying the Proposal does not appear to support the policy option chosen by the Commission, i.e. the mandatory inclusion of both facial images and (two) fingerprints in ID cards (and residence documents). Consequently, the Impact Assessment accompanying the Proposal cannot be considered as sufficient for the purposes of compliance with Article 35(10) GDPR. Therefore, the EDPS recommends to reassess the necessity and the proportionality of the processing of biometric data (facial image in combination with fingerprints) in this context.

Furthermore, the Proposal should explicitly provide for safeguards against Member States establishing national dactyloscopic databases in the context of implementing the Proposal. A provision should be added to the Proposal stating explicitly that the biometric data processed in its context must be deleted immediately after their inclusion on the chip and may not be further processed for purposes other than those explicitly set out in the Proposal.

The EDPS understands that using biometric data might be considered as a legitimate anti-fraud measure, but the Proposal does not justify the need to store two types of biometric data for the purposes foreseen in it. One option to consider could be to limit the biometrics used to one (e.g. facial image only).

Moreover, the EDPS would like to underline that it understands that storing fingerprint images enhances interoperability, but at the same time it increases the amount of biometric data processed and the risk of impersonation in case of a personal data breach. Thus, the EDPS recommends to limit the fingerprint data stored on the documents chip to minutiae or patterns, a subset of the characteristics extracted from the fingerprint image.

Finally, taking into account the wide range and potential impact of the Proposal outlined above, the EDPS recommends setting the age limit for collecting children's fingerprints under the Proposal at 14 years, in line with other instruments of EU law.

1.   INTRODUCTION AND BACKGROUND

7.   CONCLUSIONS

The EDPS observes that the Commission has clearly chosen to prioritise the free movement aspects of the Proposal and to treat the security-related objective as corollary. The EDPS remarks that this might have an impact on the analysis of necessity and proportionality of the elements of the Proposal.

The EDPS supports the objective of the European Commission to enhance the security standards applicable to identity cards and residence documents, thus contributing to security of the Union as a whole. At the same time, the EDPS considers that the Proposal does not sufficiently justify the need to process two types of biometric data (facial image and fingerprints) in this context, while the stated purposes could be achieved by a less intrusive approach.

Under the EU legal framework, as well as within the framework of Modernised Convention 108, biometric data are considered sensitive data and are subject to special protection. The EDPS stresses that both facial images and fingerprints that would be processed pursuant to the Proposal would clearly fall within this sensitive data category.

Furthermore, the EDPS considers that the Proposal would have a wide-ranging impact on up to 370 million EU citizens, potentially subjecting 85 % of EU population to mandatory fingerprinting requirement. This wide scope, combined with the very sensitive data processed (facial images in combination with fingerprints) calls for close scrutiny according to a strict necessity test.

In addition, the EDPS acknowledges that, given the differences between identity cards and passports, the introduction of security features that may be considered appropriate for passports to identity cards cannot be done automatically, but requires a reflection and a thorough analysis.

Moreover, the EDPS wishes to stress that Article 35(10) of the GDPR would be applicable to the processing at hand. In this context, the EDPS observes that the Impact Assessment accompanying the Proposal does not appear to support the policy option chosen by the Commission, i.e. the mandatory inclusion of both facial images and (two) fingerprints in ID cards (and residence documents). Consequently, the Impact Assessment accompanying the Proposal cannot be considered as sufficient for the purposes of compliance with Article 35(10) GDPR. Therefore, the EDPS recommends to reassess the necessity and the proportionality of the processing of biometric data (facial image in combination with fingerprints) in this context.

Furthermore, the Proposal should explicitly provide for safeguards against Member States establishing national dactyloscopic databases in the context of implementing the Proposal. A provision should be added to the Proposal stating explicitly that the biometric data processed in its context must be deleted immediately after their inclusion on the chip and may not be further processed for purposes other than those explicitly set out in the Proposal.

The EDPS understands that using biometric data might be considered as a legitimate anti-fraud measure, but the Proposal does not justify the need to store two types of biometric data for the purposes foreseen in it. One option to consider could be to limit the biometrics used to one (e.g. facial image only).

Moreover, the EDPS would like to underline that it understands that storing fingerprint images enhances interoperability, but at the same time it increases the amount of biometric data processed and the risk of impersonation in case of a personal data breach. Thus, the EDPS recommends to limit the fingerprint data stored on the documents chip to minutiae or patterns, a subset of the characteristics extracted from the fingerprint image.

Finally, taking into account the wide range and potential impact of the Proposal outlined above, the EDPS recommends setting the age limit for collecting children's fingerprints under the Proposal at 14 years, in line with other instruments of EU law.

(1)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

(2)  Proposal for a Regulation of the European Parliament and of the Council of 17 of April 2018 on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement, COM(2018) 212 final, 2018/0104 (COD).

(3)  Communication from the Commission to the European Parliament and the Council of 8 of December 2016: Action plan to strengthen the European response to travel document fraud, COM(2016) 790 final.

(4)  Communication from the Commission to the European Parliament, the European Council and the Council enhancing security in a world of mobility: improved information exchange in the fight against terrorism and stronger external borders, COM(2016) 602 final.