The European Parliament has voted to create one large centralized biometrics database that the law enforcement agencies of any member state can access (with some restrictions).
Although the current law mostly unifies existing biometrics databases of existing EU nations, it could still increase the risk of hacking, while civil liberties advocates argue that the new law could be expanded in the future to cover other uses for the tracking database. Some members of the EP have been trying for years to get EU member state tourists to also fall under this database.
EU Common Identity Repository (CIR)
The new database will be called the Common Identity Repository (CIR), and it aims to unify the records of 350 million citizens from the EU. CIRcontains citizen information such as names, dates of birth, passport numbers, as well as biometric data such as fingerprints and facial scans. All of this data will be made available to all law enforcement agencies from the 27 EU member states.
The idea behind this database is to simplify the jobs of law enforcement agents, including border agents, who now have to look through each relevant country’s database when searching for information about someone. The information would come from other databases such as the Schengen Information System, Eurodac, the Visa Information System (VIS) and three new systems: the European Criminal Records System for Third Country Nationals (ECRIS-TCN), the Entry/Exit System (EES) and the European Travel Information and Authorisation System (ETIAS), according to EU officials.
The EP and the European Council promised to implement “proper safeguards” for the data, but no details were offered at this point. If the European Council approves the law passed by the EP, then all member states will have to implement it within two years.
One Large Hackable Database
On smartphones that come with fingerprint readers, a hash of the fingerprint data is stored locally on each user’s devices. This makes it much more difficult for an attacker to get everyone’s fingerprint data and then reuse it at will for criminal purposes.
In contrast, government biometric databases tend to keep an exact image of someone’s fingerprint, rather than a cryptographic representation of it. This makes it much easier for someone who hacks the database to reuse that fingerprint data. Furthermore, the data is not stored on each particular device, but on a large centralized databases that tend to have poor security, can easily get hacked, and then can expose the biometric data of millions -- all at once.
This has happened before, for instance with the U.S. government’s own employee fingerprint database, with China’s facial recognition database, and with India’s Aadhaar identity database, which also includes biometric information on 1.1 billion Indians.
Therefore, the question is more than likely not one of if, but when will EU’s new centralized database also leak, and how this will affect the EU member states citizens who won’t have much of a say in all of this.
EU Privacy Chiefs Criticized The Law
The other issue may be that the Court of Justice of the European Union, as well as the European Court of Human Rights, have ruled in the past against the law demanding excessive data collection on citizens, especially if the protection of the data is not properly guaranteed. The EU citizen’s lack of control over such data may present yet another legal issue for the EU bodies.
Article 29 Working Party, comprised of the chiefs of each Data Protection Authority from within EU member states, have previously criticized the CIR on multiple points, some of which include the centralization of biometric data (as opposed to keep it decentralized, such as on ID cards, etc.), mixing the data on EU citizens with that of non-EU citizens who may only be passing through the EU, blurring the lines between migration management and fighting against terrorism, over-use by police of the CIR, and many other issues described in a paper written by the group. However, as it appears, the European Parliament hasn't taken those issues into account and passed the CIR/interoperability legislation anyway.