Ministry of the Interior threatens to introduce central biometric database after all
Due to privacy concerns, the development of a biometric database was halted in early 2011. State Secretary for Digital Affairs Alexandra van Huffelen seems intent on introducing such a database after all.
Remember the massive public opposition to a central database containing the biometric data (fingerprints and facial scans) of all Dutch citizens from 2009-2011? Due to privacy concerns, the development of that database was halted in early 2011. State Secretary for Digital Affairs Alexandra van Huffelen seems intent on introducing such a database after all. This is Privacy First's reaction at the recent internet consultation about this abject plan.
Abject Plan
Privacy First Foundation has been astonished to learn of your intention to still be able to create a central database with everyone's biometric data (facial scans and - as yet "temporary" - fingerprints) by means of an amendment to the Passport Act. This after the original plan for such a database was rightly halted in 2011, after two years of massive resistance from all sections of Dutch society, due to legal, political, administrative and technical objections. At the time, not even within the Ministry of the Interior and Kingdom Relations could be found an official who still dared to openly advocate the development of such a database. Meanwhile, this "progressive insight" within your ministry has apparently disappeared completely, just at the time when international developments call for not forgetting the historical lessons about the risks of central population registers.
Risky & disproportionate
After all, with a central biometric database, an extremely risky target for malicious persons created. A convincing need and proportionality of such a database cannot be found in the draft explanatory memorandum to the current bill and, for that matter, is unthinkable. Moreover, experience shows that over time such databases become always will be used and abused for all sorts of unforeseen purposes (function creep) and that original retention periods will be increasingly stretched. In this context, Privacy First would like to remind you that the previously planned central biometric database involved clandestine, protected access by the Dutch secret services (who were also involved in its development for that purpose), but that subsequently the AIVD itself considered its realisation too risky. It is hard to see why the considerations of the time would not still apply.
Fingerprints
Ever since our establishment in 2008, Privacy First has been opposing the compulsory collection of fingerprints for passports and identity cards. Privacy First has done so since the introduction of the new Passport Act in 2009 through lawsuits, campaigns, Wob requests, political lobbying and media activation. Despite the subsequent halt of the (planned) central storage of fingerprints in a national database and at municipalities in 2011, everyone's fingerprints are still taken when applying for a passport and now also (due to the new European Identity Card Regulation) as yet again for Dutch identity cards after this was abolished in 2014. To date, however, all the millions of fingerprints taken from virtually the entire adult Dutch population have hardly been used in practice, as the system had already proven to be technically unsound and unworkable in 2009. The compulsory collection of everyone's fingerprints under the Passport Act thus still constitutes the most massive and longest-lasting violation of privacy the Netherlands has ever known. We therefore request you to withdraw the present draft bill and replace it with a new bill to abolish fingerprinting under the Passport Act, also against European policy. After all:
- Already in May 2016, the Council of State ruled that fingerprints in Dutch identity cards violate the right to privacy due to lack of necessity and proportionality, see https://www.raadvanstate.nl/pers/persberichten/tekst-persbericht.html?id=956.
- Wob requests by Privacy First have shown that the phenomenon to be combated (lookalike fraud with passports and identity cards) is of such a small scale that mandatory issue of everyone's fingerprints to combat it is totally disproportionate and therefore unlawful. See https://www.privacyfirst.nl/rechtszaken-1/wob-procedures/item/524-onthullende-cijfers-over-look-alike-fraude-met-nederlandse-reisdocumenten.html.
- Fingerprints in passports and identity cards previously had a biometric error rate as high as 30%, see https://zoek.officielebekendmakingen.nl/kst-32317-163.html (State Secretary Teeven, 31 Jan 2013). Earlier, minister Donner admitted an error rate of 21-25%: see https://zoek.officielebekendmakingen.nl/kst-25764-47.html (27 April 2011). How high are these error rates anno 2022?
- Partly because of the above-mentioned high error rates, fingerprints in passports and ID cards are virtually not used to date, either domestically, at national borders or at airports.
- Because of these high error rates, former state secretary Bijleveld (BZK) already instructed all Dutch municipalities in September 2009 to (in principle) not carry out fingerprint verifications when issuing passports and identity cards. After all, in case of a "mismatch", the relevant ID document has to be returned to the passport manufacturer, which would lead to rapid social disruption in case of high numbers. Also in this context, the Interior Ministry was concerned about large-scale unrest and possible violence at municipal counters. The relevant concerns and instruction from State Secretary Bijleveld still apply today.
- A legal exception should still be created for people who do not wish to give fingerprints for whatever reason (biometric conscientious objectors, Art. 9 ECHR).
For more background information on the biometric passport, see the WRR report 'Happy Landings' which yours truly wrote in 2010. Partly in response to this critical report (and the large-scale lawsuit by Privacy First et al against the Passport Act), decentralised (municipal) fingerprint storage was largely abolished in 2011 and the planned central fingerprint storage was discontinued.
We sincerely hope it will not have to come to another Privacy First lawsuit to turn the tide.
Of course, we are willing to explain the above aspects in more detail.