Could Biometrics Become Mandatory for EU Citizen ID Cards?

In recent years, common EU security standards have been introduced for ID and travel credentials such as passports and residency permits. Under current regulations, there is a wide range of security standards for national ID cards and resident documents for EU citizens, making them somewhat susceptible to fraud.

The introduction of new security standards, if the agreement is ratified by EU ambassadors, will state that identity cards must be produced:

• In a uniform, credit card format (ID-1)
• With an included machine-readable zone
• Following at least the minimum security standards as mandated by the International Civil Aviation Organization (ICAO)
• Including a photograph and two fingerprints for biometrics
• With storage in a digital format on a contactless Integrated Circuit (IC)

Current plans have these new formats operating under a minimum validity of 5 years and maximum of 10, with flexibility for cards issued to citizens aged younger than 5 and older than 70.

Also, with the recent introduction of eIDAS regulations, there has been a definitive move in the European Union to enable citizen credentials to fully integrate across borders. This means that an EU citizen can access e-government services in another country using their national ID and enables interoperability to break down fragmentation in credential design and security standards. This will result in a convergence in the design and security specifications of all national ID in the EU.

In terms of timescales, the mandate will be that regulations will be enforced 2 years after they are fully adopted, meaning that by this date all credentials must be adapted or replaced to meet the new standards. As a standard rule, all existing identity cards that do not meet the above requirements will cease to be legitimate 10 years after the new regulations take place or the credential runs out of its validity period. Credentials that do not contain a machine-readable zone will expire within 5 years.

The change in standards is primarily due to the European Union’s increasing focus on strong data protection safeguarding practices and reducing the risk of fraud. It is the responsibility of national authorities to ensure that the data stored on the contactless chips is secured to maximize the protection of citizens’ data. It is also important that the regulations being introduced only apply to the information that is stored and the security used to safeguard it. There is no legal basis provided for the deployment of information databases at the EU or national level; instead, this is mandated by national legislation (which is fully compliant with data protection regulations).

It has been identified that, with a shifting political landscape within Europe, there have been several areas of focus for citizen credential programs and identity management. With the potential for the United Kingdom to leave the European Union in the coming months, the European Union is ensuring its national databases and citizen credentials are leaders in security and may also place emphasis on border control and travel permissions, with borders closing to citizens who do not have a secure form of ID.

In April 2019, the European Parliament approved plans to connect the national databases of EU countries to create a network of databases containing the information and biometrics of hundreds of millions of EU citizens, called The Common Identity Repository (CIR). The CIR will modernize the ability of EU countries and national authorities to access data from across the region. Instead of having to search each database individually, officials will be able to use a single, interconnected database where all forms of data on citizens are shared and exchanged from country to country. When the system is fully operational, the data of approximately 350 million citizens is expected to be contained within the CIR.

More specifically, there have been two proposals that have seen strong backing within the European Parliament. The first involves a merger of systems that store information related to border control and visa permissions, exacerbating the focus on tighter border control that has been seen in Europe in recent times. The second proposes the merger of systems that store information related to migration and law enforcement. If the proposals are fully ratified by the Presidents of the European Parliament and European Council, the European Commission will attempt to have the CIR operational by 2023.

The project to merge all of the databases that contain EU citizen information has caused concern among civil rights groups and data protection regulators, who have compared the proposed interlink database to “Big Brother.” While the European Commission (EC) has confirmed that the CIR will not gather any additional data on citizens or inhibit their rights to access the personal data that is held on them, there has still been considerable opposition to the proposal.

There is a larger problem for the CIR project to consider, which is how it comes into direct conflict with the recently introduced General Data Protection Regulation (GDPR). The GDPR states that citizens’ data may only be collected from EU citizens for “specific, explicit, and legitimate purposes,” and that all data processing must follow these principles. It is believed that the linking of all EU citizen information databases could result in an omniscient data network that encapsulates all citizens’ information for the purpose of combating crime and terrorism and impinges on citizens rights to privacy. Such a network would have to be stringently monitored, and the data used only if necessary, to avoid conflict with citizens’ rights to information privacy.