Critics say plans to link together existing identity databases across the EU may break Europe’s own data protection laws
The European Parliament has pushed through controverisal proposals to create one of the world’s biggest repositories of biometric data, amidst concern from civil liberties advocates as well as the EU’s own data protection authorities.
MEPs approved the Common Identity Repository (CIR) as part of a broader scheme of linking together a range of identity-related databases across the EU.
The new rules linking together existing security, migration and border management systems are intended to help combat militant attacks, and were introduced in the wake of a string of incidents in 2015.
They also introduce a new repository that is to store biometric data on non-EU citizens, the European Commission said.
Border and internal security
It’s intended for use by police and border guards along with systems that will allow them to cross-check biometric data across member states’ existing systems.
“Interoperability will help those working in the frontline to keep EU citizens safe – ensuring police and border guards have efficient access to the information they need, including to fight identity fraud, enables them to do their jobs properly,” said commissioner for the Security Union Julian King following the vote.
The Commission said the new measures would “expedite the ongoing efforts at EU level to improve internal security”.
But civil liberties advocates Statewatch has argued the initiative will lead to the creation of a “Big Brother centralised EU state database”.
It is comparable to databases used by the Chinese government, India’s Aadhar system and the US’ Customs and Border Protection (CBP) and FBI.
Europe’s own data protection authorities have taken issue with the proposals, saying that in effect they create a loophole in the law.
The GDPR data protection rules impose limits on the way information can be collected on citizens, saying it can only be collected for “specific, explicit and legitimate purposes” and can’t be further processed “in a manner that is incompatible with those purposes”.
Data protection authorities say the Commission’s plans involve repurposing data in a way that’s incompatible with the GDPR, with European data protection supervisor Giovanni Buttarelli warning of a potential “panopticon in which all our behavior is considered useful for investigative purposes and must be made accessible because fighting crime is given priority”.
An unnamed European Parliament adviser told politics news site Politico that effectively merging data from multiple databases designed for different purposes was akin to “drilling a loophole” in this aspect of EU law.
The Commission argues the databases are only to be made “interoperable”.
“Interoperability does not change the rules on access and purpose limitation relating to the EU’s information systems,” it said in a statement. “Fundamental rights thus remain protected.”
Statewatch editor Tony Bunyan said the EU’s proposals have become increasingly more ambitious.
“What started out as creating ‘interconnectivity’ between EU Justice and Home Affairs (JHA) databases was quickly rejected by the High Level Group of Experts in favour of ‘interoperability’, which in turns has morphed at the hands of the Council and the Commission into the creation of a centralised EU state database covering all JHA databases,” Bunyan wrote in a study last year.
The European Council must now adopt the text of the relevant regulations, after which they must be co-signed by the President of the European Parliament and the rotating Presidency of the Council.
The Commission said it hopes to have the new measures in place by 2023.