A new Prüm system will make it possible to query facial images across Europe in the future, and a central biometric EU repository will also be connected to it
For 14 years, the member states of the European Union have been able to query each other’s fingerprints, non-coding DNA data, motor vehicle and owner data. The basis for this is the Prüm Treaty, which was initially signed by seven EU members in the Eifel town in 2005. Three years later, the EU Prüm Decision followed, making the set of rules for improving police data exchange valid throughout the Union. As non-EU states, Norway, Iceland, Switzerland, Liechtenstein and the United Kingdom also participate in the Prüm network.
To mark the tenth anniversary of the Decision in 2018, the Council proposed to extend cooperation to facial images. The Commission recently presented a draft for such a Prüm II. The paper is now being discussed by the member states in the relevant Council working groups, and the position of the interior and justice ministers is to be determined by spring. Afterwards, the Parliament will deal with it.
Decentralised with a central router
Not all EU member states have fully implemented the Prüm Decision of 2008 as required. Italy and Greece are currently the last countries to follow, and Schengen member Norway is also not yet technically ready. But even among the active members, the Prüm query is not running smoothly. Countries like Cyprus or Denmark can only query DNA profiles with few other participants; Latvia and France have similar problems with fingerprints. In addition, many countries lack the technical infrastructure to connect all competent authorities. For the entire system, 1,134 interfaces are set up for this purpose.
The Prüm system is decentralised, i.e. the databases of the member states are networked with each other. If there is a hit, the requesting law enforcement authorities receive a positive notification. They can then request further information via the instrument of mutual legal assistance in criminal matters.
In the context of the extension to facial images, the Commission wants to fundamentally change the architecture of the system. For example, the queries will no longer be made simultaneously in each member state, but via a central router. This will be located at the Agency for the Operational Management of Large-Scale IT Systems in Estonia. However, the proposal to also set up a server for the central storage of data in the Prüm network was not accepted in the Commission’s draft.
60 million facial images
With facial images in Prüm II, police authorities in other countries can find out whether information is available there on an unknown person. In addition to police facial image files, still snapshots from public surveillance cameras can also be used for such a query. Therefore, the new EU facial recognition system should allow searches with lower quality images. However, according to a feasibility study by the consulting firm Deloitte, this would generate some false hits. However, the expected success in investigations would outweigh this shortcoming, according to an EU paper.
According to a presentation by the Commission, eleven EU states currently have national databases with facial images. Half of them have provided information on the number of persons stored there; according to this, 60 million facial images would be made accessible via a Prüm II in these six countries alone.
Compulsion to set up a face database?
Germany pioneered such a data collection in 2008 with a facial image database located in the police INPOL system. The central file at the Federal Criminal Police Office (BKA) now contains almost six million biometric photos of almost as many people, and the number of entries is growing every year. The biometric photos originate, for example, from identity checks or asylum applications.
The BKA is also setting the tone for the expansion of the Prüm system to its second generation. German officers are part of a “focus group” that deals with the technical implementation of facial image matching in a “Next Generation Prüm” project. At least one meeting of the group, which is chaired by Austria, took place in Wiesbaden for this purpose.
In the relevant Council working groups, in which the proposal for a Prüm II is currently being discussed, there is disagreement whether participation in the system should be mandatory or voluntary. An obligation would mean that even those countries that do not have a central file with facial images would have to set one up. The resulting costs would also have to be borne by the national budgets.
Networking with biometric “repository”
The plan to network the Prüm II with new data collections of all Schengen states is particularly far-reaching. In the “Interoperability” project, the Commission is currently setting up a central “Common Identity Repository” in which fingerprints and facial images from all existing databases will be combined. This data silo will be fed from the Schengen Information System, the Visa Information System, the Eurodac asylum fingerprint file and the criminal record for third-country nationals. The cross-checking system installed there comes from a consortium of the French companies IDEMIA and Sopra Steria and is said to cost 300 million Euros.
The EU is collecting hundreds of millions more biometric data with the Entry/Exit system, which is due to go live next year in summer. The EU Commissioner for Home Affairs, Ylva Johansson calls it the “most advanced external border management system in the world”. All third-country nationals, regardless of their reason for entering the EU, will have to give four fingerprints and their facial image when crossing the border into the EU. This data retention will also be attached to the new biometrics “repository”.
Data from intelligence services in third countries
In addition to facial recognition, Prüm II contains other significant innovations. For example, it will also be possible to retrieve data on missing persons and unidentified dead persons. Europol is to be allowed to participate in the network and to access their stored fingerprints and facial images.
It is even planned to integrate biometric data that Europol has received as “battlefield evidence” from third countries, including secret services from the Western Balkans or the USA. However, the police agency based in The Hague is not to be allowed to rummage through the biometric data of Prüm members itself.
No networking of weapons registers
The Commission also wants to facilitate the so-called follow-up processes after a hit report in the Prüm network. Some “core data” of the holders of facial images and fingerprints are then to be responded automatically, including name and registration address, date and place of birth. This data exchange is to take place with the help of a new format developed by the German BKA.
In the course of its ongoing deliberations, the Council could expand the Commission’s Prüm II proposal in some respects. Some member states want the information in the Prüm network to be used not only for law enforcement but also for security purposes. The networking of national weapons registers and ballistic databases demanded by some governments is also missing so far. Driving licences, identity cards, passports and the facial images stored in them were also not considered by the Commission, but could be negotiated back in by the Council.
Consultation of police investigation files
With Prüm II, the Commission and the Council also want to enable the Europe-wide networking of police files. With this Police Register Information System (EPRIS), prosecutors could query whether information on suspects or accused persons is available at a foreign police authority. So far, such an exchange is only possible after a final conviction.
The German government has been calling for the introduction of an EPRIS for over ten years. Under the recent German Council Presidency, the Ministry of the Interior has therefore had “Conclusions on Internal Security and European Police Partnership” adopted, which among other things concern an EPRIS. With the participation of the BKA, some member states are currently testing such a system in real operation.
However, it is unclear which national information systems would be networked with it. The term “police file” is not uniformly defined in the EU, so it could be purely files of pure suspicions. For this reason, participation in the exchange – in contrast to the consultation of facial images – is to be voluntary. Initially, no member state would be forced to create a central database of police files or to share existing data collections with other countries. There is also an all-clear for Switzerland, Norway and Iceland: as things stand, an EPRIS in Prüm II would not be part of the Schengen acquis, but could only be used by EU member states.
This text was published in German at Golem.
Image: The Prüm network (EU Commission).