Legislative Observatory
European Parliament
Please fill in this field to find a procedure

Security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members

2018/0104(COD)

Opinion of the European Data Protection Supervisor on the proposal for a Regulation strengthening the security of identity cards of Union citizens and other documents.

The EDPS supports the objective of the European Commission to enhance the security standards applicable to identity cards and residence documents, thus contributing to security of the Union as a whole. At the same time, the EDPS considers that the proposal does not sufficiently justify the need to process two types of biometric data (facial image and fingerprints) in this context, while the stated purposes could be achieved by a less intrusive approach.

The fact that the proposal shall potentially subject 85 % of EU population to mandatory fingerprinting requirement, combined with the very sensitive data processed (facial images in combination with fingerprints) calls for close scrutiny according to a strict necessity test. In addition, the introduction of security features that may be considered appropriate for passports to identity cards cannot be done automatically, but requires a reflection and a thorough analysis.

The EDPS considers that the impact assessment accompanying the proposal cannot be considered as sufficient for the purposes of compliance with Article 35(10) of the General Data Protection Regulation (GDPR). Therefore, the EDPS recommends reassessing the necessity and the proportionality of the processing of biometric data (facial image in combination with fingerprints) in this context.

In addition, the EDPS recommends:

- adding to the proposal a provision explicitly stating that biometric data processed in its context must be deleted immediately after their inclusion on the chip and may not be further processed for purposes other than those explicitly set out in the proposal;

- restricting the biometric data used to only one (e. g. facial image) as the proposal does not justify the need to store two types of biometric data for the purposes considered;

- limiting the fingerprint data stored on the documents chip to minutiae or patterns, a subset of the characteristics extracted from the fingerprint image;

- setting the age limit for collecting children's fingerprints under the proposal at 14 years, in line with other instruments of EU law.