France: Fingerprints and transmission of data: biometrics to protect identity?

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

A law was proposed in July 2010 by the French government on the "protection of identity". It was adopted in December 2011 and introduces biometric (two-fingerprints) ID cards, celebrated as an answer to the over 200,000 estimated cases of persons being victims of identity theft.

While biometric data has already been added to the information contained in passports since 2009, its insertion into French ID cards is new. This purely national initiative aims to:

"Secure the delivery procedure of these documents and opens the possibility to electronic ID holders to benefit from functions which will ease administrative procedures [e.g. remote authentication system] and make some transactions more secure". [1]

The card will contain details of the holders' name, surname, place of residence, height, eye colour and two fingerprints.

A remedy to identity theft

It is estimated that in 2009, there were more than 400,000 Internet-based cases of impersonation. It is unknown whether the 200,000 victims of identity theft in the non-virtual world are included in this figure.

The list of crimes and offences that the new ID cards are supposed to address coincides with the agenda brought forward by the French government in the past few years: a heavy emphasis on security and a general mistrust against "lay-abouts" and third country nationals.

It is claimed that biometric ID cards will help prevent people using identity theft to open a bank account; claim benefits; escape legal proceedings; leave French territory; regularise one's legal status; or impersonate others for the purposes of organised crime or terrorism.

A "file on honest people" [2]

Information on the electronic ID card will be part of the secure electronic identity documents data base TES (Titres Electroniques Sécurisés) which already contains the personal information and biometric data of passport holders since 2008.

The ID card may hold one or two electronic chips. The second chip is optional and will enable those who choose it to be electronically authenticated when carrying out financial transactions or administrative procedures online.

Information held on the first chip - name, surname, place of residence, height, eye colour and two fingerprints - will be held on a central database. This will be established following government consultation of the National Commission on IT and Freedoms (CNIL) and the adoption of a decree by the Council of State (Conseil d'Etat). This data will make it possible to check whether applicants for travel documents are using another person's identity. The processing of the data in this respect falls under the responsibility of the Ministry of Interior.

However, contrary to the official discourse, the use of this database will not just be limited to administrative purposes: it will also be possible to use it for judicial purposes.

From administrative to judicial purposes: the Parliament's proposal [3]

The initial amendment submitted by the former Parliament mainly consisted in adding a few safeguards and in opening access to data for a greater number of actors. The data will only be accessible to authorised agents in charge of identity checks and identity document controls when the identity document seems to be altered or defective. Authorised public administrations as well as some operators delivering public services and businesses will be able to consult this data when it is necessary to check the validity of the ID card or the passport details submitted to them for a specific procedure.

The National Assembly during the last reading of the proposal in December 2011 went even further, authorising access to the database, upon authorisation of the Attorney General, "where it is plausible to suspect that the person has committed or attempted to commit" some of offences listed in the same article (identity theft offences). Moreover, a judicial policeman can, upon a judge's authorisation, use the fingerprint(s) as stored in the data base to identify a person without the data subject's knowledge.

Biometrics and EU law: France on the spot

The evaluation of the use of biometrics with respect to the principle of necessity and proportionality has put France on the spot in recent months.

In October 2011, two public institutions came to the conclusion that the use of biometrics was disproportionate and may put the right to privacy at risks. The first decision came from the Council of State (Conseil d'Etat), following a complaint lodged, inter alia, by the think tank Droit, Justice & Sécurité (Law, Justice & Security), the Human Rights League, and Imaginons un Réseau Internet Solidaire. [4] The Council of State considered on 26 October 2011 that the collection of eight fingerprints for passport registration was disproportionate in light of EU requirements (Regulation 2252/2004 asks for two fingerprints only). [5] The government must now delete the superfluous fingerprints on about 6.3 million passports delivered since 2008 in breach of EU law.

Moreover, on 25 October 2011, the National Commission on IT and Freedoms (CNIL) published a report on the proposed law for electronic ID cards. [6] While considering the use of biometrics as legitimate to protect passport and ID holders' identity, the Commission concluded that the amount of personal data collected as well as its use was disproportionate.

As regards the establishment of a central database of biometric data, the CNIL considered that any such system should be limited to exceptional situations where public order is at stake. The systematic storage and processing of fingerprints for purely administrative goals appears excessive and may put privacy and civil liberties in jeopardy.

The Commission asked especially for safeguards against the misuse of the data base for judicial purposes. Finally, the CNIL recommended that minors under twelve should not be fingerprinted and a limitation of two fingerprints for holders of other secure identity documents.

Following these decisions and recommendations, the French government amended its proposal concerning electronic ID cards and limited the collection of fingerprints to two. An initial reference to facial recognition was also withdrawn. Finally, no interconnection with other databases will be authorised in order to guarantee the use of the TES database solely for identity documents.

However, the government did not step back from the wording of Article 5, which establishes a strong link between personal details and biometric data and the condition of access to the database. With the amendments eventually adopted by the National Assembly on 13 December 2011, the TES file will still be used by police investigators in cases of identity theft, fraud, damage to the intelligence services' information, and obstruction to justice. [7] The Magistrate's Union, the Human Rights League and the French Lawyer's Union announced they will fight for the cancellation of this law, denouncing it as an "authoritarian decision". [8]

It might be observed that: a) limit of the age of 12 is a very low standard - some question whether the limit should not be 18 when informed consent could be given and b) this is part of a EU wide prcoess to introduce biometrics to national ID cards within the Schengen area. [9]

[1] Sénat (27 July 2010) Proposition de loi relative à la protection de l'identité
[2] As described by the UMP (right-wing) Senator and Rapporteur on the law proposal François Pillet (3 November 2011)
[3] Proposition de loi relative à la protection de l'identité, modifiée par l'Assemblée Nationale en deuxième lecture (13 December 2011)
[4] Droit, Justice & Sécurité (28 October 2011) Passeport biométrique: le Conseil d'Etat annule le décret instaurant le passeport biométrique
[5] Conseil d'Etat (26 October 2011) Association pour la promotion de l'image et autres, n°s 317827,317952, 318013, 318051
[6] CNIL (25 October 2011) Note d'observations de la Commission nationale de l'informatique et des libertés concernant la proposition de loi relative à la protection de l'identité
[7] BastaMag (14 December 2011) L'État va ficher 45 millions de Français
[8] Cartes d'identité biométriques: tous fichés! (16 December 2011)
[9] see: Statewatch Briefing: ID Cards in the EU: Current state of play

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error