EDRi, Statewatch call for ban of EU-wide police facial recognition system
The European Commission’s ‘Prüm II’ legislation may amplify the risks of state overreach and biometric mass surveillance and should therefore be amended, according to a new position paper by the European Digital Rights (EDRi) network and UK monitoring organization Statewatch.
The paper says the proposed regulation for automated data exchange for police cooperation fails to provide crucial safeguards to protect individuals’ privacy and biometric data.
The existing Prüm framework was created in 2008 to offer a number of laws regulating the automated sharing of personal data between the member states to investigate specific crimes.
The updated legislation (informally called Prüm II) would further automate the cross-border sharing of personal data, including face and fingerprint biometrics, DNA data, vehicle registration data and – on a voluntary basis – police records.
“This is particularly concerning for DNA, dactyloscopic data and facial images, as the profiles that will be returned are not guaranteed to be a match (as biometric matches only meet a certain threshold of statistical likelihood, not absolute certainty),” argues EDRi.
The UK government is also reported to have agreed to share records from its police biometrics database with U.S. border authorities as part of a new scheme in June.
“Furthermore, the profiles that are returned are always returned in the form of a ‘list’ of potential matches […] An intrinsic feature of Prüm’s hit/no hit exchange is that the sensitive biometric profiles of non-matching persons […] will always be automatically shared for the purpose of performing a comparison.”
The paper also mentions that, according to the European Commission, the intention of Prüm II is to remove barriers in order to streamline and accelerate the cross-border sharing of data relating to investigations of crimes such as terrorism and organized crime.
“However, the proposal does not establish legal thresholds, such as the severity of the crime, to limit the sharing of data only in relation to serious crimes,” EDRi sustains.
According to the new paper, although the proposal does not mandate the establishment of a national face image database, the European Commission is offering to provide funds to finance its creation in member states that do not yet have one.
Further, EDRi believes the possibility of searching other member states’ police records substantially expands the possibilities for overtly political policing.
“The premise underpinning the Prüm framework is that because criminals can operate freely across Schengen country borders, so too must data about them [be] held by law enforcement authorities,” the paper clarifies.
“But this assertion that ‘law enforcement authorities in one Member State [must] have access to the same information that is available to their colleagues in another Member State is a non-sequitur, and furthermore, is not sufficiently proven by the Prüm II proposal.”
However, EDRi believes the approach foregrounds the concept of convenience to the potential detriment of due process and respect for fundamental rights. It also reportedly follows issues with the 2008 Prüm Decisions, which included failures of implementation and mismanagement of criminal databases.
“Not only does Prüm II fail to correct such issues, it furthermore removes vital safeguards from the 2008 Prüm Decisions, such as the requirement for data protection audits and evaluation visits of member states prior to connecting their systems,” reads the latest EDRi paper.
“Given that the legal basis for Prüm II is data protection […] we argue that strengthening data protection safeguards in the proposed law is urgently needed to ensure the legitimacy of the proposal and its aims.”
To tackle these issues, the organization’s position paper provides a series of ten recommendations, from implementing specific rules for member states’ police databases before their connection to removing the sharing of Europol-held third-country biometric data (alongside Europol’s own-initiative biometric searches).
The list also calls for the deletion of the large-scale automated exchange of unidentified DNA data, the full rejection of the inclusion of facial image exchange, and the limitation of the definition of police records (to ensure that biased assumptions, hear-say and other illegitimate records will not be shared via Prüm II).
“In sum, the co-legislators should mitigate the risk that Prüm II will exacerbate the abuse of data, by strengthening the protection of fundamental rights, including through alignment to the LED [Law Enforcement Directive, 2018] and by setting rules for the databases which may be connected to Prüm,” EDRi writes.
The remaining recommendations, alongside more information about each of these, is available in the position paper’s original text.
The document’s publication comes months after Statewatch warned that new biometric identity controls used by police and immigration authorities in the EU could lead to worsening ethnic profiling risks.
More recently, the French presidency prompted the EU’s Justice and Home Affairs Council to formally approve the Prüm II Regulation.