EU border agency says biometrics interoperability framework includes robust safeguards
eu-LISA is set to play a crucial role in the facilitation of interoperability in Europe, with its management of a massive new biometric database, The Common Identity Repository (CIR), which brings together information from six large-scale European databases via an EU-designed interoperability framework. Biometric information will be collected on both European citizens and non-Europeans who need a short-term visa, and on third-country nationals exempted from the visa requirement.
Yet concerns remain over access for individuals seeking to check on data collected about them, and whether this data will be consistently cross-checked to eliminate the risk of ‘false positives.’ Statewatch and Codastory both mention issues with the CIR project in their respective reports, such as racial profiling, child protection, false positives and the potential for misuse of the database, especially among immigration officials. A representative of the Communications team at eu-LISA told Biometric Update via email however, that the CIR will not stray from purpose limitation.
Furthermore, to mitigate potential false positives, eu-LISA adds: “the Agency, together with its stakeholders are closely cooperating in order to ensure compliance with the associated requirements. This also includes coordination of implementation of standards for data quality. Moreover, it shall be noted that the legal base provides the means to the responsible national authorities to use more than one biometric modality in order to streamline the results and thus further assist their decision-making processes.”
The website Politico explains that within the database if two individuals share the same name and address, but yet have different biometric data, the system will still falsely link them together, dubbed a ‘yellow link,’ which will then require national authorities to investigate. The implication is that yellow links could ultimately result in the incorrect processing of personal data.
Interoperability within the framework allows law enforcement officials to access relevant information quickly and efficiently from multiple locations, helping to eliminate blind spots (where potentially threatening individuals can go undetected in a third-party database, or under another alias) according to the European Commission. This means threat detection should be more effective.
eu-LISA told Biometric Update that the CIR will make travel safer and more efficient.
“In order to fulfil their legal obligations, Carriers will be provided with tools to allow checking of the status of the travellers before boarding,” the spokesperson writes. “Moreover, as already regulated in the applicable legal texts, travellers will be able to check the status of their authorisation prior to travel and during their stay in the Schengen area. All these measures will not only enhance security, but also facilitate the travelling of bona-fide travellers and augment the safety feeling of third country nationals travelling to European Union.”
In 2016, the Commission created an expert group on information systems and interoperability in order to address the legal, technical and operational challenges of enhancing interoperability between central EU systems for borders and security, as stated in a proposal for the regulation of European Parliament and of the Council. The group was formulated to further address necessity, technical feasibility, proportionality and data protection implications. A push toward interoperability on the continent is in response to an increased number of terror attacks in recent years, says Codastory, and to the influx of migrants and refugees to Europe since 2011.
However, though law enforcement will have enhanced knowledge, regulation aspects of the database will be up to member states discretion. For example, if an individual wishes to access the data stored about them: “Only the responsible competent or designated authorities of the member states and associated countries, as well as certain EU Agencies, have the right to access and process this information and only for that specific purpose indicated in the legislation,” the eu-LISA representative told Biometric Update. “Individuals (data subjects) whose personal data is collected and processed for the purposes of each EU Large-Scale IT System can exercise their rights, by addressing them to the competent authority of any Member State which then shall examine and reply to the request.”
Finding out the usage potential for an individual’s data could therefore be difficult to track down. The representative at eu-LISA did not answer if there will be policy guidance for Member States around transparency.
The framework will be between the Entry/Exit System (EES), the Visa Information System (VIS), the European Travel Information and Authorisation System (ETIAS), Eurodac (the European register of fingerprints of asylum seekers), the Schengen Information System (SIS), and the European Criminal Records Information System for third-country nationals (ECRIS-TCN). This framework will include a European search portal (ESP); a shared biometric matching service (sBMS); a common identity repository (CIR) and a multiple-identity detector (MID). Idemia and Sopra Steria were awarded the four year contract by eu-LISA earlier in 2020 to deliver the new shared biometric matching system (sBMS) which allows authorized users to cross-reference biometric information in the system, helping the EES to operate.
eu-LISA will be bringing in a third-party contractor to design the CIR database. “In line with the applicable law, the Agency is contracting services in order to deliver the systems entrusted to it,” the agency writes. “In this respect, the Agency is in full control of the applicable technologies and ensures that the latter complies with the requirements stemming from the associated regulations.”
Furthermore, eu-LISA says the CIR will not store identity information from all JHA (Justice and Home Affairs) databases.
Statewatch mentions that interoperability could change the structure and legal principles of large-scale IT systems; however, eu-LISA says “interoperability does not alter those legal principles, the purpose limitation or the access rights by the competent authorities to each system, but rather enhances the information management by the responsible authorities.”
When asked if eu-LISA will be following any ‘responsible use’ guidelines or taking advice for best practice regarding the database use, the agency’s representative responded: “The legal framework of the EU large scale IT systems in the JHA area clearly regulates the use, purposes, access rights, type of data to be collected or data subjects from whom the data will be processed. Therefore, eu-LISA, other EU EUIs and all those competent authorities in the Member States are strictly bound to use these systems as established in the applicable regulations.”
What remains unclear is how a unified effort between countries could be made to mitigate the risk of false positive results, and how best to protect those at most risk from them (for example, via racial bias in facial recognition). eu-LISA will receive a total budget of 225 million EUR (approximately US$274 million) for the creation of the database, which includes 68.3 million EUR ($83.6 million) to deliver the five interoperability components alone. The Common Identity Repository is due to be completed in 2023, with a capacity of data from approximately 300 million individuals.