Press release: European Commission jumps the gun with proposal to add facial recognition to EU-wide police database

The European Commission has put forward a proposal to ‘streamline’ the automated sharing of facial recognition images and other sensitive data by police across the EU. What will be discarded in order to ‘streamline’ the process? Vital safeguards which are designed to protect all of us from state over-reach and authoritarian mass surveillance practices.

By EDRi · December 8, 2021

Today, 8 December 2021, the European Commission has published its proposal to expand the Prüm framework, Prüm II, as part of the new Security Union package. The original Prüm decision regulates the exchange of DNA, fingerprint and vehicle registration data between EU police authorities.

EDRi has warned that any proposal to expand the framework would be premature, because the Commission has thus far failed to provide sufficient evidence of the necessity and proportionality of the existing Prüm Decisions, which they are obliged to do under EU law.

The worrying proposal for Prüm II

Despite this, today’s proposal from the Commissioner for Promoting our European Way of Life, Margaritis Schinas, seeks to expand the powers granted to EU law enforcement under the Prüm framework, with the purported aim of improving cooperation in combating cross-border crimes. This includes new provisions to share facial images for the purpose of facial recognition and sharing of police records. The proposal also further automates the cross-border sharing of personal (and often highly sensitive) data: people’s faces, fingerprints and DNA data, vehicle registration data and police records.

This additional automation will explicitly remove vital procedural and judicial safeguards which are in place to make sure that our sensitive data are only shared with police forces in other countries when there is a legitimate reason to do so. The proposal also enhances the role of Europol, meaning that the sensitive biometric data of suspects from outside the EU are included in its scope, without clear protections.

Risks of amplifying discrimination

The expansion of the Prüm framework in the Prüm II proposal also risks amplifying the discriminatory impacts that law enforcement databases already have on racialised and marginalised communities, as their composition and use often lead to more surveillance, coercive actions and abusive policing of these groups. The addition of police records will likely reinforce their overpolicing. Information contained in national police databases frequently includes gossip and hearsay, and lacks accuracy and legitimacy, for example in Belgium’s BNG system or France’s PASP system.

Incentivising biometric mass surveillance

The Commission claims that the proposed expansion to include facial recognition will not use artificial intelligence, does not happen in real time, and does not identify “large groups of persons in public spaces”. Yet this proposed expansion to include face data is especially troubling given that EDRi, independent researchers, and the Reclaim Your Face coalition of over 65 civil society groups have demonstrated that facial image databases can pave the way for biometric mass surveillance practices. Despite already having access to a wealth of personal data under existing Prüm rules, the Commission wants to enable instant access to even more data, without addressing the serious risks.

EDRi Policy Advisor, Ella Jakubowska, warns that:

Our faces are central to our identities, and facial recognition has the capacity to obliterate our privacy and anonymity forever. Given the threat to fundamental rights, it is very concerning that the Commission would put forward changes to allow police forces to circumvent oversight and scrutiny when sharing highly sensitive data about our faces and bodies in ways that may facilitate biometric mass surveillance.

By including face data, Prüm II may even incentivise Member States, that have thus far chosen not to conduct mass facial recognition against their communities, to now start deploying surveillance infrastructure and databases.

As Lotte Houwing, Policy Advisor at EDRi member Bits of Freedom, explains, the Netherlands provides just one example of the police having trouble maintaining biometric databases on a national scale:

“The Netherlands provides a clear example of the systemic misuse of sensitive biometric data in law enforcement databases. There are tens of thousands of people wrongfully-included in the facial recognition database of the Dutch police. This year they finally deleted 218,000 photos that were unjustly in the database since 2010, and it is unclear how many more unduly-included faces there are left. This shows the degree of mismanagement of databases that include very sensitive biometric data on a national scale. Imagine the potential harms when access to these databases grows to a European scale.”

( Contribution by: )

Ella Jakubowska

Policy Advisor

Twitter: @ellajakubowska1

Chloé Berthélémy

Chloé Berthélémy

Policy Advisor

Twitter: @ChloBemy