Fingerprints on Belgian eIDs

The Belgian federal government recently decided to start with the registration of fingerprints in electronic identity cards (eIDs). As of the end of this year, several municipalities will be involved in a pilot project to test the new system.

On 27 September 2019, the federal Ministerial Council decided to start with the implementation of the registration of   fingerprints in the electronic chip in eIDs. This legislation was already adopted in November 2018,[1] but the practical matters were postponed as the government went into ‘current affairs’ status at the end of 2018.

The underlying reason for the legislation is to protect citizens against identity fraud. In the following months, the project will be rolled out in around 25 municipalities. The scope of application is rather limited during this first stage as it will only relate to citizens either applying for a new eID or for the renewal of their eID.

In today’s society, fingerprints are already used in various technologies: unlocking a smartphone, using mobile banking apps or monitoring the entry and exit time of employees.

Regardless of the applications already in place, the government’s intention sparked concerns in the media as there are certain security risks attached to registering biometrical data such as fingerprints. Contrary to pin codes or ‘classic’ security codes it is evidently impossible to modify a fingerprint after it has been found compromised by a data breach.

In that regard, concerns have been voiced that the safety risks of the new measure are disproportional compared to the envisaged advantages.

The General Data Protection Regulation (GDPR) takes an active approach towards the processing of biometrical data by categorizing it as ‘sensitive personal data’. This particular label brings forth the requirement of multiple robust protection safeguards by the entities or organizations that process such sensitive personal data.

In principle the GDPR even prohibits the processing of such data, unless a specific legal basis is available and provided that: (i) the proportionality in light of the pursued goal is guaranteed; and (ii) suitable and specific safeguards are integrated.

In 2018, the Belgian Data Protection Authority (DPA) published advice on the proposed measure twice.[2]

The use of fingerprints in eIDs was considered as “problematical” with the main concern being the lack of legitimate justification for the use of biometric data.

Additionally, the comparison made by the government with passports to justify the measure was criticized by the Belgian DPA as there are currently no systematic controls on these fingerprints due to the freedom of movement within the European Union.

Furthermore, the Belgian DPA found that no ‘data protection impact assessment’ (DPIA) was made even though this is mandatory upon the processing of such sensitive personal data.

Lastly, the Belgian DPA referred to the prohibition on processing biometric data as one of the principles embedded in the GDPR.

In light of these concerns, the government has confirmed that sensitive personal data will only be kept for three months in a central database managed by the same governmental entity responsible for the National Registry.

Furthermore, the government confirmed that the security of the databases is its primary concern.

The other practicalities of the new Regulation have not yet been released.

_{[1] Belgian Draft Legislation n° 54-3256/006 (14 November 2018) concerning various provisions of the National Registry and the Citizen Registers.}

_{[2] Advice of Belgian Data Protection Authority n° 19/2018 (28 February 2018) and n° 106/2018 (17 October 2018).}