Privacy First demands repeal of new Passport Act

Privacy First calls on House of Representatives to halt storage of passport biometrics and repeal new Passport Act 

Today, the Privacy First foundation sent a letter to the House of Representatives in connection with the general consultation on the new Passport Act on 27 April with minister Donner. The content of our letter is as follows:

Less than two years after the new Passport Act came into force, it is once again high on the agenda of the Lower House. After a relatively noiseless parliamentary process, the new Passport Act was passed without a vote by the Senate on 9 June 2009. For many at the time, this came as a bolt from the blue: after all, there had been virtually no democratic debate on this far-reaching law. Faced with this fait accompli followed a year and a half of increasing resistance in the form of citizen protests, petitions, scientific and political criticism, objection procedures, court cases and even disapproving motions from municipal councils. In this sense, the new Passport Act now returns to the House of Representatives like a social boomerang. Needless to say, Privacy First Foundation puts the main objections to the current law once again:

- under the European Passport Regulation, only the inclusion of two fingerprints and a facial scan in travel documents is mandatory. This is to (supposedly) combat fraud with the same travel documents. In the new Passport Act, however, the Netherlands goes 3 steps further by also storing this data (plus two additional fingerprints) in databases for a wide range of other purposes, including investigation and prosecution, counter-terrorism, disaster relief and intelligence work in the Netherlands and third countries. Given the completely unjustified and disproportionate nature of this, it constitutes a collective violation of the right to privacy and physical integrity of every Dutch citizen with a new travel document;

- of the above purposes in the new Passport Act, most citizens have never been informed; this constitutes a violation of their right to 'informed consent' when processing their biometric personal data;

- Citizens who object to mandatory storage are forced into years of procedures and have to go through life without a valid travel and identity document during that time, with all the drawbacks and risks that entails;

- the storage of biometric data (both in the travel document and in a database) creates a new form of fraud: biometric identity fraud. This form of fraud can go undetected for years and haunt a person for a lifetime;

- The same applies to the remotely readable RFID chip in the document: this too creates new risks of identity fraud;

- the security of storage in databases (either 'central' or 'decentralised') cannot possibly be (fully) guaranteed;

- storage in databases lends itself ideally to identification rather than verification and works function creep in hand;

- no biometric verification generally takes place when the travel document is issued. As a result, it is unknown to what extent the travel documents circulated under the new Passport Act function biometrically. In this context, the parliamentary roundtable discussion on the new Passport Act on 20 April last revealed an error rate (upon verification of fingerprints) of no less than 21%.

In response to these objections, Privacy First hereby urges the House of Representatives to immediately halt the storage of biometric data (fingerprints in particular) and repeal the new Passport Act of 2009 or revise it along the following lines:

- the taking of biometric data should voluntary to be;

- storage of these data in municipal or national databases should be eliminated;

- The Netherlands should abandon the current model of storage at municipalities and opt for the German model of voluntary storage in the document's chip;

- An alternative identity document without biometrics should be developed for domestic use.