EU merges biometric data pots: Now the query tsunami is coming

Under the keyword „Interoperability“, the large EU databases in the area of justice and home affairs will be interlinked. Fingerprints and facial images are stored with personal data in a searchable „Identity Repository“. Data queries are expected to increase drastically, with Europol alone expecting 100,000 per day.

The European Union is providing all information systems containing biometric data with new functions. They are partially merged and made searchable with a single click. This was agreed yesterday by the negotiators from the EU Parliament and the Council, writes the Romanian Council Presidency. This ends the struggle for a biometric data repository in which hundreds of millions of fingerprints and facial images will be stored, linked to personal data.

The data is to be kept centrally at the Agency for the Operational Management of Large IT Systems (eu-LISA) in Tallinn. The Agency is also responsible for technical management and secure data transmission. Technical implementation will begin in 2020 and the new capabilities should be operational by 2023.

The exact wording of the two concerted regulations for „police and judicial cooperation, asylum and migration“ and „borders and visas“ has not yet been published. However, the Council had put its December negotiating position online. The regulations must be formally adopted by the Council and Parliament before they become final.

Search engine also for Europol and Interpol

The new laws concern the Schengen Information System (SIS II). Europe’s largest search database contains alerts for refusing entry or stay and for arresting or discreetly checking persons of interest. „Interoperability“ will also include the Eurodac system of fingerprints of asylum seekers and third-country nationals and the Visa Information System (VIS). It contains information on short-stay visa applicants and their invitees, including biometric data.

The fingerprints and facial images stored in the SIS, VIS and Eurodac are now centralised in a „Common Identity Repository“ together with the corresponding personal data. For each registered person an „individual file“ will be created, which can be accessed by tens of thousands of authorised officials in the European Union using a new „European Search Portal“.

This search engine will not only query the SIS, VIS and Eurodac, but will also access data from the Europol police agency and Interpol each time a person is checked. As an interface to „Interoperability“, the Commission is introducing a new „Universal Messaging Format“ (UMF), which has been developed under the leadership of the German Federal Criminal Police Office and must now be installed by all parties involved. Queries at Europol are also carried out using a new protocol, which operates under the name „Querying Europol Systems“ (QUEST).

New „Identity Confirmation File“

First, all existing biometric data must be transferred to the new „Common Identity Repository“. They will then be checked for existing fingerprints or facial images via a „Biometric Matching Service“. Every new entry also goes through this procedure.

A „Multiple Identity Detector“ is also running in the background, looking for links between the biometric data and ID documents associated with them. The focus is on people whose fingerprints are attributed to more than one identity. The existing databases already have such a search system for fingerprints. However, the proposal for „Interoperability“ is intended to facilitate the simultaneous consultation of several systems.

The four new „Interoperability“ functions (all rights reserved EU Commission).

If the „Multiple Identity Detector“ finds an anomaly, a temporary „Identity Confirmation File“ is created for the person concerned and her associated biometric data. If she or he enters a police check or makes representations to one of the authorities involved, the information must be checked and, if necessary, corrected. The software should be designed in such a way that „small transliteration or spelling mistakes“ are detected, but do not always result in „adversarial decisions“ for the third-country national concerned. However, it is unclear how this will be technically implemented.

The „Common Identity Repository“ displays a yellow or red warning message. These indicate, for example, that the person is using different identities (yellow) and may be liable to prosecution (red). Frequent travellers and EU citizens are marked with white and green if there is no danger. If the check shows that a red message is confirmed, „appropriate action“ should be taken. This can mean the interrogation or arrest of the person.

Entry must be declared in advance

In addition to the three existing databases, the European Union intends to set up three new central systems which will also be interconnected under the interoperability regulations. An „Entry/Exit System“ (EES) will collect biometric data of all third-country nationals crossing an external border of the European Union. The recently adopted „European Criminal Records Information System for Third-country Nationals“ (ECRIS-TCN) will be integrated into the new „Interoperability“ as a further data base. It serves to exchange information on criminal convictions of third-country nationals, if they reside in the European Union.

Even if they do not require a visa, all travellers should first register with the European Union. To this end, the Commission is launching a „European Travel Information and Authorisation System“ (ETIAS), which must indicate the time and purpose of the journey and the planned itinerary. If a hit is found in existing databases during the automatic check of the person, entry may be refused.

ETIAS will also use the Europol Information System (EIS) to process travel authorisation applications. This would drastically increase data traffic there. Currently, more than 100,000 queries per month are carried out at Europol and ETIAS aims to achieve this in a single day.

Systems to „talk to each other“

The former German Minister of the Interior, Thomas de Maizière (CDU), had described the „Interoperability“ project as a “ pooling of data pots“. In the English version of its press release yesterday, the Commission said that information systems should better „talk to each other“. The data it collects will „supplement each other“.

The different databases and their partial interconnection. Each time a person is checked, they are queried via the new search engine (all rights reserved EU Commission).

In fact, the existing databases will be maintained in their current form, but each individual regulation will be adapted for their networking in the „data pot“. Access by investigating authorities will sometimes be extended. This will be facilitated by the purposes of the „Interoperability“ project. The aim is not just to detect the misuse of identities. It also serves to combat irregular migration, to improve „external border management“ and, more generally, for the „maintenance of public security and public policy and safeguarding the security“.

Europol is notified of hits

The purpose of the „Entry/Exit System“, which in its original form was only intended to detect travellers with expired visas („overstayers“), has also been extended. It was estimated at over €1 billion, but many governments found it too expensive for the common visa policy. Therefore, under certain circumstances, investigators should now also have access to the data stored there. Only this extended purpose makes the system profitable from the Commission’s point of view. In Eurodac, VIS and ETIAS, criminal prosecution has also been defined as a secondary objective.

The rights of use for the individual information systems have been extended. Europol is also allowed access (all rights reserved EU Commission).

The search in the „Common Identity Repository“ for law enforcement and security purposes is currently limited to investigations into terrorist and other serious crimes. The EU Police Agency Europol also has access to all data and is notified by means of a „hit-flagging functionality“ when another authority has found something at Europol’s database. The Agency can then contact the investigators in the Member State and contribute its own findings.

Costs are well over one billion

Finally, as the fifth „interoperability component“, a „central repository for reporting and statistics“ will also be created, through which the number of storages and queries can be determined at any time. The Agency for the operational management of large-scale IT systems uses it for regular „Interoperability“ reports. In 2023, after the project has been fully implemented, the new functions will be evaluated. The European Border and Coastguard Agency will then be responsible for checking the links in the „Common Identity Repository“. Frontex will be responsible to host the central unit of ETIAS.

According to the Commission, „Interoperability“ will cost around 425 million euro by 2027. In addition, 480 million euros will be spent on the development of the EES, 210 million euros on the ETIAS and 68 million euros on the renewal of SIS II. Further funds are needed for Eurodac and VIS. The costs of the central systems will be borne by the general budget of the Union. The Member States and Europol will have to pay for their national connections. Governments can apply for funding from the Internal Security Fund for this purpose.

Image: jonworth-eu, CC-BY 2.0.

Autor: Matthias Monroy

Knowledge worker, activist, editor of the German civil rights journal Bürgerrechte & Polizei/CILIP.