Romanian Government wants to issue Electronic ID cards

By EDRi · August 25, 2010

This article is also available in:
Deutsch: [Rumänische Regierung plant elektronische ID-Karten | http://www.unwatched.org/node/2127]

The Romanian Ministry of Internal Affairs and Public Administration (MAI)
submitted for public consultation, in the middle of August 2010, a new draft
Ordinance for issuing mandatory electronic ID cards for Romanians starting
with 1 January 2011.

Even though the decision of having an electronic ID card was taken
in 2002 by Ordinance 69/29.08.2002, the practical implementation has been
postponed several times since then, due to financial difficulties. Following
the public outcry at the beginning of the 2010 against the biometric
passports, there was no surprise that the new act suggested by the MAI has
been received with concerns by the civil society.

According to the draft Ordinance, the new ID card will be obligatory for all
citizens over 14 years old and optional for children from 6 years old and
will include biometric data (2 fingerprints and the facial image) that will
be stored on a chip in the ID card. The chip will include also other data,
such as an electronic signature provided by the MAI. A similar eID card
would be required for all other residents in Romania. The justification of
the draft ordinance did not include any information regarding the possible
problems of the current ID card or the security and privacy impact
assessment of the new legal text. The only reference made was to the
forthcoming accession of Romania to the Schengen treaty and the STORK
programme, which will create the possibility of inter-operability between
eID cards.

A hastily organized public meeting of the MAI with NGOs on the 20 August
2010 (the final date for public comments) revealed that Ministry could not
provide any good reason why the new ID card was needed. Or why it needs to
be promoted in such a rush. The Ministry representatives could not give any
figures regarding current IDs cards falsified and used in illegal purposes
or even a specific reason, besides “increased security”, for having the
fingerprints stored in
the smart chip. They also said that we could not speak about fingerprinting,
since there were “just two fingerprints stored.” The authorities also
claimed that the security features of the project (which are not publicly
available in any document) – such as using the contactless technology
instead of RFID, not having a central database of fingerprints, access to
the biometric data on the eID card only with the consent of the card’s
holder, limited number of people having access to the data and only with a
state-issued digital certificate etc. – would be enough to have an ID
increased security and thus safer travelling in the European Union.

The participants in the meeting from the civil society expressed their
disapproval for such a system that would cost the Romanian Government 32
million Euros +VAT. They claimed that the obligation to have an eID
card was an useless and disproportional measure. Arguments related with
human rights or freedom of conscience, as defined by the Romanian
Constitution and ECHR, or current privacy legal framework were used to try
to allow the possibility of at least an alternative for the people that
don’t want to have the electronic ID card.

A statement from the Romanian Data Protection Authority from the same day,
20 August 2010, expressed its negative opinion on the draft Ordinance,
but claimed that the major change needed to consider only the minimum age,
which should be 14 years old. But this is just information from their press
release and the opinion, as such, has not been made public yet.

Several positions of the civil society expressed after the meeting – from
the Association for the Defense of Human Rights in Romania-the Helsinki
Committee, Institute for Public Policies, Activewatch or EDRi-member APTi
have demanded the withdrawal of the current act and a significant privacy
and security assessment of the project, if it is re-submitted later.

MAI representatives concluded that they would further on study the problems
raised, but gave no answer if there would be any future meetings. The
decision could have been taken also before the meeting since a public body
(RAAPPS) has already started the procedure for the public acquisition of the
eID technology with a public notice of acquisition made on 19 August 2010
with the process to start 7 days later.

Draft Ordinance on eID cards (only in Romanian, 12.08.2010)
http://www.mai.gov.ro/Documente/Transparenta%20decizionala/Proiect%20OUG%2097_2005.pdf

Justification of the eID cards Ordinance (only in Romanian,12.08.2010)
http://www.mai.gov.ro/Documente/Transparenta%20decizionala/NF%20OUG%2097_2005.pdf

APADOR-CH comments on the eID cards Ordinance (only in Romanian, 20.08.2010)
http://www.apador.org/show_report_nf.php?id=181

Public Policy Institute – Stop the 30 million deal on eID that we don’t need
(only in Romanian, 23.08.2010)
http://bit.ly/axJCGz

Common position of APTI, Activewatch, CJI, MediaSind and Accept on eID
Ordinances (only in Romanian, 23.08.2010)
http://legi-internet.ro/blogs/media/blogs/a/scrisoare%20MAI%20CI%20biometrice.pdf

Negative Opinon of the Romanian DPA for the eID for under 14 (only in
Romanian, 20.08.2010)
http://www.dataprotection.ro/?page=Aviz_negativ_al_Autoritatii_pentru_cartea_electronica_de_identitate_a_minorilor_sub_14_ani&lang=ro

ENISA: Privacy Features of European eID Card Specifications (01.2009)
http://www.enisa.europa.eu/act/it/eid/eid-cards-en