How does the sharing of biometric data between member states provide yet another demonstration of the challenging demands and constraints of cooperation across Europe? This question is largely addressed by Guy de FELCOURT in his fitfth article of the BEST OF TRUSTECH series.
Do European countries trust each other enough to exchange biometric information?
To strengthen its borders exit-entry security and to increase interoperability between large scale information systems, the EU is building a Shared Biometric Matching Service for “third country nationals” travelling in the EU. This service should become operational in 2022.
Towards a new framework for biometric data sharing across the EU?
When it comes to the physical movement of “third country nationals”, legislation passed in 2019 established a defined set of rules to ensure interoperability between the visa and border information systems of European countries (EU Regulation 2019/817), as well as in the areas of police and judicial cooperation, asylum and migration (EU Regulation 2019/818). Due to be implemented in 2023, these large-scale information systems provide, among other things, a mechanism for sharing templates of certain biometric data (SBMS: Shared Biometric Matching Service).
Although, by their finality these measures may help fight terrorism or detect illegal immigration, they are also interesting per se in addressing the challenge of interoperability format for biometric data and in stimulating the cooperation between member states on sharing biometric data.
Let us consider the General Data Protection Regulation (GDPR). On the one hand, the regulation encourages free movement of personal data within the EU. On the other, by identifying biometrics as a special category of sensitive personal data, the GDPR imposes stringent conditions – including a strict legal basis for use, explicit consent by the individual, and the need for privacy impact assessments in some circumstances.
So, in this context how effective has been cooperation in Europe so far?
To help find out, in 2019, we were able to examine current levels of execution and implementation of biometric data reading mechanisms (facial, fingerprint or iris) in today’s European electronic Passports – a program of work that has been underway since 2004.
While access to an individual’s facial image is mandatory to support global interoperability, ICAO encourages countries to restrict and control access to other biometric data stored on the microchip. While ICAO offers two approaches – either by applying an extended access control (EAC) mechanism or by encrypting saved data – it doesn’t detail exactly how these controls are to be achieved.
Despite this ambiguity, or perhaps because of it, biometric data sharing between EU countries (the Schengen zone) was only authorized following agreement on the common specifications for EAC implementation. A quite sensible course.
Lessons learned from the current implementation of ePassport biometric data sharing
During TRUSTECH 2019, Francis Deschrijvere from the EU’s Directorate-General for Human Resources, and Antonia Rana from the European Commission Joint Research Centre, brought some evidence-based guidance on how EU Regulation on biometric data could be implemented.
Presenting in the Biometrics and Smart Travel conference stream, they offered audience members a deeper understanding of the measures to restrict and control fingerprint access – exploring the configuration of cryptographic communication and security mechanisms, and the settings necessary for the recognition of EU member states’ inspection systems.
The lessons learnt from this electronic Passport biometric program included the necessity for performing compliance and interoperability tests between all parties (so country A can read country B passport, and vice versa); agreement on the quality of service response times; and the process of finding a common solution that satisfies the majority of nations.
We remain, however, still some way from a full implementation of the shared reading of biometric ePassport data among EU countries. According to the lecturers, the extended timescale of this project reflected the sheer complexity of the task – the organizational challenges and the technical constraints. Plus, of course, both sovereign nations and the EU must get to grips with the very considerable ethical issues related to sharing this sensitive biometric data.
Furthermore, all 26 Schengen countries retain the sovereignty to determine at what point (front- or second line) they do implement digital fingerprint authentication at border control.
So, while we reached the technical capacity to inspect an ePassport issued by another member state, this did not mean we delivered that capability in the real world. Again, sovereignty rules – and the speed with which countries prioritize implementation can and will vary.
The growing need for trust
Ultimately, the experience developing interoperability for reading ePassport biometric data shines a spotlight on the need for continued and growing mutual trust and respect between Schengen member states as biometric programs evolve.
Indeed, the very fact that the deadline for introduction of the mechanism for shared biometric data at borders is some three years away (in 2023) highlights the rigorous and complex nature of the challenge – not only in terms of sharing biometric data between visa and border control systems, but in extending this to judicial cooperation, asylum and migration policies as well.
Further reading:
- Regulation 2252/2004 on standards for document security and biometric data for passports and identity documents of EU member states, which initiated the project https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32004R2252:EN:HTML
- EU-LISA's feasibility report on the interface mechanism for shared biometric data https://www.eulisa.europa.eu/Publications/Reports/Shared%20Biometric%20Matching%20Service%20sBMS%20-%20Feasibility%20Study.pdf
- The European Commission's fact sheet on information systems used at the borders of the Schengen area and the EU: https://ec.europa.eu/home-affairs/sites/homeaffairs/files/what-we-do/policies/european-agenda-security/20190416_agenda_security-factsheet-eu-information-systems-security-borders_en.pdf
Interested in speaking at TRUSTECH 2021?
Are you an expert in Identification, Payment or Security issues and wish to take the stage at TRUSTECH?