The French Narrowly Escape Introduction of a Centralized Biometric Database

Vol. 41 No. 4

By

Raphaël Dana (r.dana@sarrut-avocats.com) is a partner at Sarrut Avocats in Paris and a member of the Paris Bar. He specializes in data protection. Monica Ledermann (monicaledermann@gmail.com) was an intern at Sarrut Avocats and is an LLM candidate at the Sorbonne Law School. She is also a member of the Texas Bar; she earned her JD from Tulane University.

 

France introduced a new identity protection law on March 28, 2012. The Parliament was considering the bill for over a year-and-a-half, but during this time it received surprisingly little attention from the public or media, given the importance of the matter at stake. The bill purported to introduce national biometric ID cards and to store the information from them in a centralized database. Members of Parliament called for the bill in an effort to strengthen identity protection, but its wording left some worried that the government could find other reasons to use the database. The bill also aimed to allow an optional e-Service chip to be inserted into the ID card to permit its holder to apply his or her electronic signature in online transactions. While the Constitutional Council (the body responsible for reviewing the constitutionality of laws in France) found no problems with the national biometric ID cards themselves, it ruled that the creation of the centralized database and the introduction of the optional e-Service chip were unconstitutional.


The Identity Protection Bill

On March 6, 2012, the National Assembly passed the 12-article bill on identity protection. Pursuant to this bill, more than 45 million individuals in France holding these cards would have their personal data, such as digital fingerprints, digitized faces, and possibly electronic signatures, stored in a centralized database. The bill listed various circumstances under which government agents, public servants, economic operators, and the police could access this database. The bill stated three objectives: to improve the reliability of national ID cards and passports, combat identity fraud, and provide cardholders with new e-services.

 

Criticism at the National Level

Major criticism of this bill came from the Commission Nationale de l’Informatique et des Libertés (“CNIL”), the French data protection authority. When questioned, the CNIL criticized the e-Service chip proposed by the bill. The CNIL warned that such a chip could lead to the creation of commercial databases filled with data on the cardholders’ ways of life and consumption habits. The CNIL feared that Internet users would lose the ability to protect their anonymity through the use of aliases. The Parliament responded to these fears by making this second chip optional.

Furthermore, the bill’s passage conflicted with the CNIL’s general position against biometric forms of identification. In its October 25, 2011, report, the CNIL underscored the particular sensitivity of biometric data, which necessitates strict supervision by law. French law dictates that use of biometric data is only appropriate for certain, limited purposes proportionate to the objectives pursued. The CNIL contended that identity fraud does not currently pose a great enough threat to justify the creation of a centralized biometric database.

Additionally, the CNIL’s October 2011 report reiterates major points from its December 11, 2007, deliberation on biometric passports. In that deliberation, the CNIL stated that given the sensitive nature and various potential uses of biometric data, as well as the resulting risks of serious attacks against citizens’ privacy and individual liberties, matters of security or public policy must justify the use of centralized databases. The CNIL argued that securing passport issuance procedures did not justify the national government retaining biometric data. Moreover, the CNIL believes that the creation of such a wide scale, centralized biometric database brings with it serious risks necessitating supplemental complex security procedures.

 

General Opposition at the European Level

It also appears that the Parliament did not directly take into consideration the general opposition to such databases at the European level. Most notably, they did not consider the 2008 S. and Marper v. The United Kingdom case in which the European Court of Human Rights condemned the United Kingdom for creating a database that breached citizens’ rights to privacy. In that case, the Court held that indefinitely keeping digital fingerprints and DNA profiles of acquitted citizens violated Article 8 of the European Convention on Human Rights. Furthermore, in March 2011, over 80 nongovernmental organizations from 27 countries petitioned the Council of Europe, asking it to review whether the storage of citizens’ biometric data by member states violates European citizens’ fundamental rights. The secretary general declined to start an investigation, referencing the Parliamentary Assembly’s Resolution 1797 (2011) on “[t]he need for a global consideration of the human rights implications of biometrics.” In this Resolution, the Assembly advised that “there is a need to properly balance security and the protection of human rights and fundamental freedoms, including the right to privacy.” Accordingly, the Assembly called upon member states to adopt specific legislation on biometrics in order to protect citizens’ fundamental rights before this technology becomes part of everyday life.

 

Constitutionality of the Bill Challenged

The day after the bill’s passage, over 200 members of the National Assembly and Senate referred it to the Constitutional Council. Those opposed to the bill contested that the creation of a centralized biometric database concerning the quasi-totality of the French population and containing characteristics rendering possible the identification of a person by his digital fingerprints constituted an unconstitutional attack on the right to privacy. Furthermore, they argued that by allowing police to consult the data saved in this database, the Parliament failed to adopt necessary legal guarantees against the risk of the arbitrary use. In other words, the bill presented an attack on the presumption of innocence.

 

Certain Provisions Ruled Unconstitutional

In its March 22, 2012, decision, the Constitutional Council held the proposed centralized biometric database unconstitutional. The Council found Articles 5, 7, and 10, as well as portions of Articles 6 and 8, of the bill disproportionate to the objectives pursued and therefore in violation of citizens’ right to privacy. Furthermore, the Council ruled against the second, optional chip proposed for use in e-government services and e-commerce. Accordingly, the Council struck down Article 3 in its entirety because it found that the Parliament exceeded its competence. The Council rejected the following provisions.

 

·         Article 3 permitted the ID card to contain a second, optional e-Service chip containing “data” that would allow its holder to apply his or her electronic signature when entering into online transactions. This would transform the ID card into a tool for commercial transactions. The Council was particularly troubled by the proposed use of the card in civil and commercial transactions. The Council criticized the bill for not defining the authentication procedure for those persons wishing to apply the electronic signature, notably minors and protected persons. In its commentary on the ruling, the Council also noted that the bill lacked a way to guarantee that the identity of the person in front of the computer matched that of the cardholder. Furthermore, the Council criticized this article for not specifying the nature of the data needed or providing sufficient protection of the integrity and confidentiality of these data.

·         Article 5 created the centralized biometric database and authorized access for three principal purposes: the issuance of ID cards and passports, investigative needs related to offenses linked to identity fraud, and establishment of the unknown identity of a deceased person or victim of a natural disaster or mass casualty event.

·         Article 6’s third line authorized government agents in charge of verifying a person’s identity to access the database in the event of serious doubt regarding the person’s identity or presentation of a defective, or apparently damaged or altered, form of identity.

·         Article 7 referred to a future decree that would define the conditions under which public administrations, public servants, and economic operators could access the database in order to ensure the validity of the national ID card or passport presented by its holder to justify his or her identity.

·         Article 8’s second sentence referred to a future decree that would determine the permitted length of time for information storage in the database, the applicable terms, and the implementation date of the optional electronic functions mentioned in Article 3.

·         Article 10 allowed the police to use the biometric database for needs related to the prevention and suppression of various offenses, notably those linked to terrorism.

 

The Council’s ruling resulted in some necessary changes to the bill to protect French citizens’ data. However, the Council did not explain its reasons for leaving intact the provisions that allow the collection of biometric data to combat identity fraud. The Council clearly stated that this decision did not constitute a pronouncement of its position for or against biometrics.

 

The Published Law

On March 28, 2012, French citizens saw the new law published in the Official Journal without the aforementioned provisions. The current Article 2 establishes that the national ID cards and newly issued passports will contain the following biometric information on their holders: first, middle, and last names; sex; date and place of birth; legal name; home address; height and eye color; digital fingerprints; and a photograph. According to the remaining portion of Article 6, these data are only accessible to the agents in charge of researching and checking the identity of an individual by verifying the validity and authenticity of his or her electronic passport or ID card. Lastly, Article 9 modifies Articles 323-1, 323-2, and 323-3 of the Criminal Code; these articles outline the punishment for unauthorized access to automated data processing systems. The modified Article 323-1 punishes fraudulent access with a €75,000 fine and up to five years of imprisonment. Similarly, Articles 323-2 and 323-3 will now punish fraudulently entering information with a €100,000 fine and up to seven years of imprisonment.

 

Citizens’ Need for Information

In recent years, national security concerns have led to the search for the most secure and reliable ways to verify a person’s identity. While convenient and useful for governments, biometrics and centralized databases pose serious risks to citizens’ fundamental rights. The current French government does not pose a threat of misuse of such a database, but with such a system already in place, French citizens would become vulnerable to its potential misuse in the future. Furthermore, although introducing ID cards would facilitate online transactions, the appropriate security measures are first required. The absence of significant media coverage and public discussion regarding the proposed bill and the resulting new law shows that citizens remain largely uninformed about or uninterested in the importance of protecting their personal data.

Advertisement

Value Pass CLE

 

  • Call for ILN Articles

  • Contact Us

  • International Law News

Buenos Aires 2014 Conference

 

  • Editor-in-Chief

  • Managing Editor

  • Sample Issues

Vancouver Conference 2014 ad