The European Parliament overwhelmingly approved two measures that would integrate the region’s fragmented law enforcement and home affairs databases into a centralized one that would include biometric information on some 350 million EU and non-EU citizens.
It approved creation of the new system, the Common Identity Repository, on two votes last week. One was to merge systems related to visas and borders, approved 511-123, with nine abstentions. The other was to merge systems with law enforcement, judicial, migration, and asylum information, approved 510-130, also with nine abstentions.
Following the votes, the European Parliament issued a statement explaining that the new measures will make the information systems used for EU security, border and migration management interoperable. Allowing data to be exchanged between the systems will facilitate the tasks of border guards, migration officers, police officers and judicial authorities by providing them with more systematic and faster access to various EU security and border-control information systems.
The new mega database created by the measure provides for the following:
- A European search portal allowing officials to make simultaneous searches, rather than searching each system individually;
- A shared biometric matching service for cross-matching fingerprints and facial images from several systems;
- A common identity repository providing biographical information such as dates of birth and passport numbers for more reliable identification; and
- A multiple identity detector to detect whether a person is registered under multiple identities in different databases.
The European Parliament assured citizens that “proper safeguards will be in place to protect fundamental rights and access to data,” although no details of those safeguards were disclosed.
“We’re expected to trust the security measures that the government puts on the data and database,” said Timothy Toohey, an attorney with Greenberg Glusker in Los Angeles.
“There will be protections, but the national security concerns behind creating these databases means there’s going to be a lack of transparency about what those security measures are,” he told TechNewsWorld.
Even if the CIR can’t be penetrated from the outside, which many security experts would find unlikely, it still could be compromised by insiders.
“Edward Snowden was not a one-off,” observed Robert E. Cattanach, a partner with Dorsey Dorsey & Whitney, a law firm in Minneapolis.
“There will be people who access this information who will be deeply troubled by it, and they will do something to demonstrate the potential for misuse,” he told TechNewsWorld. “It’s naive to think this will remain secure.”
It also may be naive to believe that law enforcement, once in possession of the trove of data in the CIR, won’t exploit it to the fullest.
“Law enforcement isn’t going to exercise any restraint on the use of data if that data is available,” Cattanach said. “We pretend we’re not going to do invasive things with data, but if the data is there, it’s going to be used.”
In some ways, the measure setting up the CIR invites abuse of the data. For example, the European Data Protection Supervisor, in an opinion on the new information framework supporting CIR, noted that provisions for “reasonable grounds” to access non-law enforcement data systems had been removed from the law.
“The requirement to have reasonable grounds is a fundamental prerequisite of any access by law enforcement authorities to non-law enforcement systems,” he maintained. “This is indeed an essential safeguard against possible ‘fishing expeditions.'”
Given the EU’s tough stances on privacy as found in the General Data Protection Regulation and “Right To Be Forgotten” court decision, it would seem that the creation of the CIR, with its potential to savage privacy, is incongruous.
Not so, maintained Melinda McLellan, privacy and cybersecurity partner at New York City law firm BakerHostetler.
“EU law has always recognized exceptions to restrictions on data processing and to data protection obligations for national security and public safety purposes,” she told TechNewsWorld.
Article 2 of the GDPR states that it does not apply to processing personal data “by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security,” McLellan noted.
“Using biometric information for law enforcement purposes may represent an expansion in scope from a technological point of view, but legally the EU has always permitted this kind of personal data processing in the interest of national security,” she said.
Another concern raised about the CIR is that of mission creep.
All EU states will have access to the CIR, but not all the states are as punctilious about respecting civil rights as others, Toohey explained.
“This database could be used for surveillance of political enemies,” he said, “or lead to civil rights violations of the sort that we saw in the Nixon era” in the U.S.
The European Data Protection Supervisor, Giovanni Buttarelli, also raised a red flag about mission creep.
“A central database — in contrast to decentralised databases — implicitly increases the risk of abuse and more easily rouses desires to use the system beyond the purposes for which it was originally intended,” he wrote.
While the powers behind the CIR are selling the gigantic database a simple stitching together of existing data and biometrics, the CIR is much more than that, maintained Tony Bunyan, director of Statewatch, a nonprofit group that supports research into justice, civil liberties, accountability and openness.
“If there has been one clear lesson since 11 September 2001, it is that function creep is the name of the game,” he wrote in an analysis of CIR.
“From the late 1970s onwards, each new stage of the technological revolution has been justified on the grounds that there is nothing new, it is just making life easier for law enforcement and border control agencies to get access to the information they need to do their job more efficiently,” Bunyan noted. “Whereas, the reality is that at each stage databases become ever more intrusive as security demands cumulatively diminish freedoms and rights.”