The road to a population register: EU Commission outlines roadmap for a “common repository of data”

With the statement “Data protection is all well and good, but in times of crisis like these, security takes precedence” the German Minister of the Interior called in March 2016 for a restructuring of EU databases. Major information systems, including biometric data, will be centralised on a step-by-step basis. The planned population register also affects EU citizens.

In April last year, the European Commission established a “high-level group of experts” (HLEG) to investigate „current shortcomings and knowledge gaps of information systems at Union level“. The group aims to find possible ways of improving IT systems and their interoperability. Previously, Federal Interior Minister Thomas de Maizière (CDU) called for the European Union to improve links between its data repositories. The Commission has now presented the interim report of the HLEG.

The high-level expert group consists of the EU agency for the operational management of large-scale IT systems (eu-LISA), the border agency Frontex, the European Police Office Europol, the European Asylum Support Office (EASO) and the EU Agency for Fundamental Rights. The EU Counter-Terrorism Coordinator, Gilles de Kerchove, is also involved, along with representatives and experts sent by authorities from across the Schengen area. The group is chaired by the European Commission.

The interim report on operational and legal obstacles in existing information systems includes guiding proposals for an EU-wide “integrated biometric identity management for travel, migration and security”, which was already mentioned in a previous communication by the European Commission. According to the paper, each of the individual measures poses major challenges in terms of technical and operational implementation. Legal issues and data protection considerations must also ultimately be clarified.

Single Search Interface for simultaneous searching in several information systems

In future, when individuals are checked as they cross the border or during police checks, all major police databases are to be searched. This would apply to the Schengen Information System (SIS), the Visa Information System (VIS), the EURODAC fingerprint database, the European Criminal Records Information System (ECRIS), Europol’s system and the Interpol database for lost or stolen ID documents. There are already plans to also incorporate the new EU travel register currently under development in the single search interface. This includes the Entry/Exit System (EES) and a register for travel information and authorisation (ETIAS).

The „Single Search Interface“ proposed by the high-level expert group on information systems and interoperability. (Image: European Commission)

Eu-LISA, the EU agency established in 2012 for the operation of large-scale EU databases, is now to commission a feasibility study for the single search interface. The results could be tested in a pilot project. The expert group suggests that the SIS and VIS databases be trialled initially. Together with eu-LISA, Europol and Interpol are also to check which requirements are necessary for their own information systems to be incorporated. Europol is already running a pilot project to this end with the name “Querying Europol Systems” (QUEST), which is to start this year in some Member States.

In order to also access the ECRIS criminal records database via a single search interface, the decentralised system would need to be located at EU level. The ECRIS directive is currently being reformulated; in addition to the criminal records and convictions of EU citizens, data on nationals of third countries is also to be recorded. In the discussion about the new version of the directive, many Member States spoke in favour of the centralisation of ECRIS.

Consolidating biometric databases

The four databases SIS, VIS, EURODAC and ECRIS are where the EU Member States currently store fingerprints or facial images. The decentralised “Prüm process” ensures easier access to national fingerprint and DNA databases. The planned and centrally managed EES also aims to process biometric data and store this for five years. If these systems could be accessed via the single search interface, the expert group believes the result would be a fantastic innovation. The comprehensive search for finger prints and facial images could be used to track down individuals who are registered with different identities, for example.

„Shared biometric matching service“ proposed by the high-level expert group on information systems and interoperability“. (Image: European Commission)

There are some obstacles, however, in the form of legal concerns, as each database serves a certain purpose. If this is expanded, each individual directive must be changed. The group thus proposes anonymising the hits. If an individual was searched for in EURODAC, for instance, the system could report that there was also biometric data relating to this person in the EES. A further search could be made there. A corresponding pilot project is already in operation by some EU Member States and Europol under the name “Automatic Data Exchange Process” (ADEP).

The European Commission is giving itself until 2020 to consolidate the biometric databases. Proposals have been made to use the platform of the still-to-be-built EES for this purpose. Eu-LISA and Europol will be responsible for examining the extent to which the SIS, VIS and EURODAC databases along with the Europol information systems could be integrated into EES. Finally, the Prüm partners will also be called upon to examine possible means of incorporating the Prüm group. It would also be conceivable to locate additional national biometric databases at EU level. According to the group of experts, smaller Member States would make huge savings by relying on EU infrastructure instead of developing and procuring their own systems.

Common Identity Repository

The two travel registers currently being set up, EES and ETIAS, are to share a database of individuals. Anyone who applies for authorisation to cross a border generates an alphanumerical data record, which is then fed with additional information upon entry or exit at a later date. This also involves “background information” regarding travel, or the IP address used when entering the information.

According to the group of experts, this identity repository could be expanded to include other systems. Eu-LISA has been called upon to examine the extent to which data from SIS, VIS or EURODAC, for example, could be used. Even the integration of Europol data is to be possible. This would resolve the fragmentation of European database architecture. At the same time, the new system is economical with data if the same personal records are only stored in just one place. That is why the group considers the relocation of all data from existing information systems to the common identity repository. As a (border) police population register such as this would have a huge impact on data protection, the EU Data Protection Supervisor and the Agency for Fundamental Rights have been asked for their assessments.

How the future „Common Identity Repository“ might look. (Image: European Commission)

The EES travel register was initially only planned for citizens of non-EU countries. After the events of 2015, France was able to push through its proposal to also document border crossings by EU citizens. The group of experts are now to examine what legal adjustments would have to be made for this type of expansion.

Data quality and uniform formats

In addition to the restructuring of existing and planned information systems, the group of experts deals with two cross-cutting issues. There is criticism of the often insufficient quality of the data supplied by the Member States, for example regarding spelling or omitting data fields. This results in gaps in the “identification of irregular migrants or of terrorists“. Innocent individuals also come under the authorities’ suspicion as a result of false data. Occasionally, the data records are not even accepted due to insufficient or contradictory information from the EU information systems. Examination of the data as soon as it is entered into the national system by border authorities, consulates or immigration offices should help in this respect.

Quality control and „Data Warehouse“ for individuals and items in EU databases. (Image: European Commission)

Under the direction of the Bundeskriminalamt (Federal Criminal Police Office), Europol, Interpol and some Member States have been working since 2007 on a “Universal Message Format” (UMF) for an “improved automated information flow”. The UMF should become the standard for all data on individuals and objects in European information systems. The group of experts thus proposes also using the UMF for the planned ETIAS and EES databases.

There is no doubt that the European Commission and its agencies are acting urgently in the restructuring of the police and border police information systems. The final report from the group of experts was originally announced for June 2017, but publication has been brought forward to April. By then, three sub-working groups are to tackle the existing and future databases and the interoperability of these.

This text first appeared here.