EDRi challenges expansion of police surveillance via Prüm

On 24 March, EDRi submitted its response to the European Commission’s public consultation on the revision of the Prüm framework. The Prüm framework permits police forces of EU Member States to exchange DNA files, fingerprints, vehicle data via a decentralised system. The European Commission and the Council are pushing for a “Next Generation Prüm” in which facial images, firearms data, driving licenses, extracts of police records, data about third-country nationals and many additional types of data could be shared via the system.

What is “Prüm”?

Following an initial intergovernmental cooperation treaty signed by seven Member States in 2005, Prüm decisions were adopted as EU law in 2008. It enables law enforcement authorities to conduct cross-border searches of DNA, fingerprints and data related to vehicles and their owners. Since then, the Council has called for a revision of the decisions by launching a series of “focus groups” to look at ways to expand the Prüm system. The Council has recommended the inclusion of facial images, driver licenses, firearms data and biographic data. As a result, the European Commission is currently trying to sort out the legal, technical and procedural hurdles to achieve the Member States’ many desires.

Why it matters?

There is very little democratic control and scrutiny over the use and development of police databases in Europe. Almost every day EU residents are learning that new technologies are being used by police forces with neither public knowledge nor  democratic debate – let alone legal basis. Yet, the increasing cross-border exchange of sensitive data like biometric data raises profound questions about people’s rights in a democratic society. Researchers have shown how the use of identification technologies including biometric databases amounts to a new form of control and monitoring of the individuals and populations they are applied to. Notably, the use and expansion of these databases are often linked to an increase in stigmatisation, control and policing over marginalised groups such as Black and Brown communities. The Prüm system was neither developed with the democratic involvement of the European and national parliaments nor was it ever evaluated to be compliant with the legal principles of necessity and proportionality.

What would the proposed reform change?

The objectives of the reform envisaged by the European Commission so far are to (1) review the efficiency of the exchange of current data categories and broaden the scope of Prüm data (e.g. with facial images) (2) speed up the follow-up procedure – Prüm data exchanges take place based on a “hit/no-hit” approach, which means that DNA profiles or fingerprints found at a crime scene in one EU Member State can be compared automatically with profiles held in the databases of other EU States. The “follow-up procedure” is the process that happens after the initial search led to a match (a “hit”) and through which the authority can request more precise information like the individual’s names or addresses from the authority that retains this information; (3) allow Europol to feed the database with data received from third countries and organisations, (4) consider extending the scope of affected persons from suspects and convicted to missing and deceased persons, (5) align the instrument with the latest EU data protection rules (the General Data Protection Regulation (GDPR) and the Law Enforcement Police Directive (LEPD)), (6) possibly introduce a central platform for search and comparison instead of the current decentralised network.

Instead of assessing and addressing the risks to privacy and data protection rights and the issue of structural discrimination against people whose data is held in these databases, the review of the Prüm framework is used as an opportunity to expand this system of surveillance with nefarious technologies like facial recognition.

Concerns with the ever expanding expansion of data exchange between law enforcement

EDRi has already provided its feedback about the EU’s plans when the Commission shared its “Inception Impact Assessment” in October 2020. In our latest response, we are repeating our main concerns and restating our previous recommendations. Considering the extremely limited democratic control and scrutiny over the use and development of police databases in Europe and the absence of solid evidence of successful investigations and prosecutions in Europe because of Prüm, we advise against the proposed extension of the exchange framework.

We recommend that the European Commission reviews the compliance of the Prüm automated data exchange mechanisms, as well as Member States’ laws governing the functioning of national biometric databases, with fundamental rights and other EU legal requirements. In addition, we urge the EU to question the endless collection of people’s data for law enforcement purposes that leads to a data-driven mass surveillance system. In particular, we strongly oppose the inclusion of facial images in the Prüm system which would de facto force the deployment of facial recognition technologies across the EU. Facial technology is arguably the most intrusive and privacy-invasive form of biometric identification. This is also why EDRi calls on the Commission and EU Member States to ensure that such technologies are comprehensively banned in both law and practice and launched a European Citizens’ Initiative (ECI) for that purpose.

Find our previous submission here.

Read our reply to the public consultation here.

https://edri.org/wp-content/uploads/2021/03/EDRi_Public_Consultation_Prum_framework.pdf

(Contribution by:)