Explanatory Memorandum to COM(2003)558-2 - Amendment of Regulation (EC) 1030/2002 laying down a uniform format for residence permits for third-country nationals - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2003)558-2 - Amendment of Regulation (EC) 1030/2002 laying down a uniform format for residence permits for third-country nationals. |
|---|---|
| source | COM(2003)558  |
| date | 24-09-2003 |
In the aftermath of the tragic events of September 11, 2001 the Commission was asked by Member States to take immediate action in order to improve document security. Clearly, it was important to be able to detect persons who tried to use forged official documents in order to gain entry to European Union territory. Prevention of the use of bogus or false identities could best be achieved by enabling more reliable checking of whether the person who presented a document was identical to the person to whom the document had been issued.
One of the weaknesses of the system then in use was that neither the visa nor the residence permit, in sticker form, included any sort of photograph or other reliable means of identification. Consequently, it was decided that at the very minimum, it was urgent to provide for the incorporation into both documents of a photograph, meeting high security standards.
Proposals were submitted to the Council and the European Parliament in September 2001. Subsequently, on 18 February 2002, the modification of the uniform format for visas was adopted by Council Regulation (EC) 334/2002 i (amending Regulation (EC) No 1683/95 laying down a uniform format for visas) and on 13 June 2002 Regulation (EC) 1030/2002 laying down a uniform format for residence permits for third country nationals i. The Commission proceeded to adopt the additional technical specifications on 3 June 2002 in relation to the visa and on 14 August 2002 in the case of the residence permit i. Member States are obliged to implement these new specifications before the final dates of 3 June 2007 and 14 August 2007 respectively.
However, Member States have emphasised that they would like to see further enhancement of the security standards of the uniform format for visas and travel documents in general. They have made it clear that they are in favour of including biometric identifiers in the visa and the residence permit for third country nationals in order to establish a more reliable link between holder, passport and visa.
At the informal JHA Ministers' meeting in Veria on 28/29 March 2003, Member States called again for a Commission proposal to integrate biometric identifiers into the uniform format for visas and residence permits for third country nationals. Commissioner Vitorino undertook to present a proposal, at the same time emphasising that a coherent approach should be taken in respect of all travel documents, including the passport of EU citizens. This was even more necessary given the need to take a common approach towards new US legislation, which requires biometric elements in passports of citizens of countries granted a visa waiver as from 26 October 2004.
The Thessaloniki European Council of 19/20 June 2003 confirmed that "a coherent approach is needed in the EU on biometric identifiers or biometric data which would result in harmonised solutions for documents for third country nationals, EU citizens' passports and information systems (VIS and SIS II)", and invited the Commission 'to prepare the appropriate proposals, starting with the visa'.
A close link is thus established between the uniform format for visas, the residence permit for third country nationals and the Visa Information System.
The Laeken and Seville European Councils and the comprehensive plan to combat illegal immigration and trafficking of human beings have given high priority to the establishment of a common Visa Information System (VIS). The Council adopted in June 2002 guidelines for the introduction of such a system and invited the Commission to carry out a feasibility study following the guidelines adopted. The objectives of the VIS as set out in the Council guidelines are in particular to facilitate the fight against fraud, to contribute to the prevention of 'visa shopping', to improve visa consultation, to facilitate identifications for the application of the Dublin II regulation and return procedures, to improve the administration of the common visa policy and to contribute towards internal security and combating terrorism. The VIS should comprise a Central Visa Information System (C-VIS) and a National Visa Information System (N-VIS) in each Member State. The feasibility study is now available, and provides an analysis of the technical and financial aspects of the VIS. The importance of biometrics for the overall effectiveness of the system must be underlined, particularly as the use of biometrics at such an unprecedented scale will bear a significant impact on the system, in both technical and financial terms.
The present proposals will have a decisive impact on the choice of biometric identifiers to be used in the VIS, as they should be the same in order to ensure coherence. Furthermore, the enrolment of the biometric identifiers must be in line with the requirements of the VIS in order to enable identification (one-to-many searches).
Contents
- 2. AIM OF THE PROPOSALS
- 3. CHOICE OF THE BIOMETRICS
- 4. SUPERVISORY AUTHORITIES ON DATA PROTECTION
- They are endowed with
- 5. STRUCTURE OF THE PROPOSALS
- 6. LEGAL BASIS
- 7. CONSEQUENCES IN RELATION TO THE VARIOUS PROTOCOLS ANNEXED TO THE TREATY
- 7.1 United Kingdom and Ireland
- 7.2 Denmark
- b) Regulation amending Regulation (EC) 1030/2002 laying down a uniform format for residence permits for third country nationals
- 7.3 Norway and Iceland
- 8. SUBSIDIARITY AND PROPORTIONALITY
- 9. FINANCIAL IMPACT
- 10. COMMENTS ON THE ARTICLES
- 9.1 Article 1
- 9.2 Article 2
- Glossary
- Enrolment of fingerprints
- One-to-many checks
- One-to-one checks
- PKI (Public Key Infrastructure)
- Template
The Commission is now presenting as a first step these proposals on the modification of the Regulations (EC) 1683/95 laying down a uniform format for visas and 1030/2002 laying down a uniform format for residence permits of third country nationals.
The second step, in relation to documents of EU citizens, will follow later this year.
The Commission's intention with these proposals is twofold:
- to bring forward the final date for the implementation of the photograph from 2007 to 2005 and at the same time,
- require Member States to integrate biometric identifiers into the visa and the residence permit for third country nationals in a harmonised way, thus ensuring interoperability.
The digital photograph should be not only integrated into the visa but also used for the integration of the facial image as the primary interoperable biometric identifier, to be stored among other information on a storage medium with sufficient capacity. The bringing forward of the final date of implementation is a logical consequence. Some Member States have already anticipated the final date by implementing the Regulations early i.e. before 2007.
The Commission proposals provide for the mandatory storage of the facial image as a primary biometric identifier in order to ensure interoperability. A secondary biometric identifier should be added, which should be the fingerprint, as it provides the best solution for so-called 'background checks', the identification (one-to-many searches) in databases. The main purpose of the chosen identifiers is to achieve a solution, which guarantees a very high level of security and the best technical results. It is considered that existing security standards are improved even further by the integration of two biometric identifiers, introducing modern technologies to combat not only document fraud, but also fraudulent use by establishing a more reliable link between the holder and the visa and residence permit format.
When choosing the most appropriate biometric identifiers, the results of the work of the ICAO (International Civil Aviation Organisation), which has taken the lead for the development of international standards in this respect, and in the feasibility study on the visa information system (VIS) have been taken into account. It is also important not to lose sight of the need for a proper balance between the reinforcement of security and due regard for the individual rights of the persons concerned.
ICAO has chosen the facial image as the primary interoperable biometric identifier and fingerprint and/or iris images as an optional biometric identifier for countries which require this for database searches.
The approach taken by the VIS feasibility study would take ten fingerprints from each visa applicant (point 3.3.5.1 p. 45) as only they provide a proven, high level of accuracy. It is the oldest and most mature identifier and already used in all Member States for national databases.
The first biometric identifier, the high resolution electronic portrait, is already available as it should be printed on the visa from 2007 onwards. This is an additional argument in favour of anticipating the implementation date of the photograph in the visa and residence permit and it will improve the security of the uniform format. At borders, the electronic record could be used to display the image on the screen as well as the additional visual check, even if facial recognition technology is not applied. This would constitute a basic application of the digital photograph. A more advanced application would be the use of facial recognition systems with the digital photograph. This would require the availibility of the necessary technology and equipment at the border crossing-point. It leaves the choice to Member States whether they wish to display only the photo on the screen or run a facial recognition programme. The quality standards for the digital photograph set out by ICAO should also be respected in order to ensure interoperability. The Commission would leave the choice of technology to Member States.
The storage of the second biometric identifier should not be left to the discretion of Member States, as only a minimum of two identifiers can ensure a sufficient level of good matching results. In any case, a second biometric identifier would be needed when the enrolment of one of them is not possible for various reasons. The additional storage of fingerprints will ensure the highest matching rate and enable searches in databases.
The proposals provide, that the number of fingerprint images stored on the document should be limited to two. In the initial stage they would be used only for verification purposes (one-to-one checks) and no searches in the VIS will be performed. If experience shows that the failure rate for verification is too high, the number of fingerprints should be reviewed. Furthermore the storage capacity of a contactless chip is -at least in the beginning- limited to two fingerprint images.
The requirements for the quality of the fingerprint images should be established by the Committee created by Article 6 of Regulation (EC) 1683/95. However, the fingerprint images shall be taken from 'flat' fingers and not be 'rolled'. The rolled fingerprint needs the intervention of a second person. In order to avoid physical contact between consular officials and the visa applicants, 'rolled' fingerprints should be excluded.
However, it could be considered that in their implementation Member States should have more flexibility. The facial image should be introduced as the first biometric identifier for reasons of interoperability. The introduction of the compulsory fingerprints need not necessarily happen at the same time, as it has not yet been decided whether the VIS will include biometric data from its very beginning. The implementation of the fingerprints could be phased in parallel to the rollout of the Visa Information System, as the infrastructure may not be available at every consular post at the same time.
Iris recognition has not been chosen as biometric identifier as it is a proprietary technology as the patent on the concept are held by one single US company. As a quite new technology (developed as from 1992) it has not yet been proven mature enough for large scale databases performance.
The two Regulations provide only for the legal basis for Member States to store biometric data on the uniform format for visas and the residence permit for third country nationals. The implementation of such action is left to the Member States in accordance with the technical specifications set out by the Committee created by Article 6 of Regulation (EC) 1683/95 on a uniform format for visas. Member States will carry out the processing of the biometric data.
Directive 95/46/EC on data protection i applies to the processing of personal data -including biometric data-by Member States' authorities within the scope of Community law.
In accordance with Article 28 of Directive 95/46/EC, Member States have established supervisory authorities that are responsible for the monitoring of the application within their territory of the provisions adopted by the Member States pursuant to Directive 95/46/EC. These authorities must act in complete independence in exercising the functions entrusted to them.
Those authorities are competent to hear claims on data protection lodged by any person or by an association representing that person.
* Investigative powers, such as
- powers of access to data, forming the subject-matter of processing operations and
- powers to collect all the information necessary for the performance of their supervisory duties,
* Effective powers of intervention, such as,
- delivering opinions before processing operations are carried out, and
- ensuring appropriate publication of such opinions,
- ordering the blocking, erasure or destruction of data,
- imposing a temporary or definitive ban on processing, of warning or admonishing the controller,
- referring the matter to national parliaments or other political institutions,
* The power to engage in legal proceedings or to bring violations to the attention of the judicial authorities, where the national provisions adopted pursuant to Directive 95/46/EC have been violated.
Decisions by the supervisory authority, which give rise to complaints may be appealed against through the courts.
Furthermore, those supervisory authorities have the obligation to draw up a regular report on their activities and may also be requested to exercise its powers by an authority of another Member State.
As indicated in the first report of the Commission on the implementation of Directive 95/46/EC i, those authorities are currently under-resourced for their wide range of tasks. Since the supervision of the processing of biometrics will increase their workload, it will be necessary to provide additional resources for them.
The report states "that the supervisory authorities themselves in many Member States are also concerned about this, in particular their lack of resources. Resource difficulties may affect independence. Independence in the taking of decisions is a sine qua non for the correct functioning of the system. This aspect requires further investigation, but if these tendencies are confirmed, they are reasons for serious concern and reflections need to be undertaken between the Commission and the Member States and the supervisory authorities to determine their causes and design feasible solutions. The fact that the three aspects are linked means that addressing one of them successfully can have positive spill-over on the others. More vigorous and effective enforcement will improve compliance with the legislation. Better compliance will result in data controllers providing more and better information to data subjects about the existence of the processing and their rights under the law, with a beneficial effect on the level of awareness about data protection among citizens in general.
Technological products should be in all cases developed in compliance with the applicable data protection rules. But being in compliance is only the first step. The aim should be to have products that are not only privacy-compliant and privacy-friendly but if possible also privacy-enhancing. Privacy-compliant products are products developed in full compliance with the Directive, privacy-friendly products go one step further by introducing some elements that make the privacy aspects more easily-accessible to the users like for instance by providing very user-friendly information to the data subject or very easy ways of exercising their rights. Privacy-enhancing products are those that have been designed in a way that aims at accomplishing the largest possible use of truly anonymous data."
The Working Party set up by Article 29 of Directive 95/46/EC to advise the Commission on data protection matters has adopted on 1 August 2003 a working document on biometrics (Working Document on biometrics No WP 80). It covers the principle of purpose and proportionality, as well as information of the data subject, notification, security measures and regimes for sensitive data.
When Member States implement the biometric identifiers in accordance with the two Regulations, the above considerations must be taken into account. Measures aiming to reinforce public security must respect the fundamental rights and freedoms of the persons concerned. This implies in this context the increase of personnel in the national data protection supervisory authorities in order to ensure effective supervision and the choice of technologies, which comply with the provisions of Directive 95/46/EC.
Therefore the Commission intends also to submit the proposals to the Working Party set up by Article 29 of Directive 95/46/EC for consultation in accordance with Article 30 of the said Directive.
However, in the future, a central way of dealing with data protection issues would be more favourable. If in the framework of VIS and SIS a decision on the creation of an agency at Community level would be taken, the independent supervisory authority established by Regulation (EC) 45/2001 had to take its responsibilities as regards the data protection issues.
The present Regulations will amend the two existing Regulations in order to set out the legal framework to enable Member States to integrate the facial image and the fingerprints on the uniform format for visas and the residence permit.
The proposals provide only for the determination of the biometric identifiers. Technical details are not gone into.
Implementation powers at the technical level in relation to both proposals should be delegated to the Commission with the assistance of the Committee created by Article 6 of Regulation 1683/95 laying down the uniform format for visas, in line with the procedure set out in Article 5 of Decision 1999/468/EC i in compliance with Article 7 thereof. Under this procedure the technical specifications to render the documents compatible with the required security standards will be established. It should decide for example on the development of a standard as regards the choice of the storage medium, its capacity and how to secure the stored information by using for example an appropriate PKI (Public Key Infrastructure) and digital signature. Furthermore it should be charged with establishing the requirements in order to obtain two fingerprints for storage on the formats. This will have the advantage that the needs can be identified by the technical experts and be adopted in a less time-consuming manner. The Committee can also take account more quickly of new technical developments.
The proposal in relation to the visa is based on Article 62 i b) iii) of the EC-Treaty, under which the Commission may present proposals on a uniform format for visas.
The proposal in relation to the residence permit for third country nationals is based on Article 63 i (a) TEC.
The amendments of both proposals should be based on the same provisions.
Regulation (EC) 1030/2002 laying down a uniform format for residence permits for third country nationals was considered to be a development of the Schengen acquis. This is also the case for a Regulation amending it.
The legal bases for the proposals concerning documents issued by Member States to third-country nationals, the uniform format for visas and the residence permit for third-country nationals, fall within Title IV of the Treaty and thus give rise to the variable situation laid down by the protocols on the position of UK, IRL and DK.
According to Article 2 of the Protocol on the position of the United Kingdom and Ireland annexed to the Treaty 'none of the provisions of Title IV of the Treaty establishing the European Community, no measure adopted pursuant to that title,..., shall be binding upon or applicable in the United Kingdom or Ireland'.
However, following Article 3 of the said protocol 'the United Kingdom or Ireland may notify the president of the Council in writing, within three months after a proposal or initiative has been presented to the Council pursuant to Title IV of the Treaty establishing the European Community, that it wishes to take part in the adoption and application of any such proposed measure, whereupon that State shall be entitled to do so'.
In accordance with Article 3 of the Protocol on the position of the United Kingdom and Ireland annexed to the Treaty on European Union and to the Treaty establishing the European Community, the United Kingdom gave notice, by letter of 3 July 2001, of its wish to take part in the adoption and application of Regulation (EC) 1030/2002 laying down a uniform format for residence permits for third country nationals.
a) Regulation amending Regulation (EC) 1683/95 laying down a uniform format for visa
By the Protocol annexed by the Amsterdam Treaty to the EU and EC Treaty on the position of Denmark, Denmark does not take part in the adoption by the Council of measures pursuant to Title IV of the EC Treaty, with the exception of 'measures determining the third countries whose nationals must be in possession of visas when crossing the external borders, or measures relating to a uniform format for visas' (former Article 100c).
This passage from the Protocol reflects Denmark's concern to abide by the Community commitments it undertook in the Maastricht Treaty (Article 100c ECT and Regulations (EC) No 1683/95 and 574/99). The Commission, on the basis of its interpretation of Article 100c, considers that Article 62(2)(b)(iii) of the EC Treaty makes no innovations in respect of Article 100c but merely confirms and clarifies the objective to which it gives form. Denmark should play a full part in the legislative procedure following the presentation of the proposals for a Regulation based on Article 62(2)(b)(iii) such as the amendment to Regulation 1683/95.
b) Regulation amending Regulation (EC) 1030/2002 laying down a uniform format for residence permits for third country nationals
Where however, as in this case, the proposals constitute a development of the Schengen acquis and following Article 5 of the Protocol, 'Denmark shall decide within a period of 6 months after the Council has decided on a proposal or initiative to build upon the Schengen acquis under the provisions of Title IV of the Treaty establishing the European Community, whether it will implement this decision in its national law'.
In accordance with Article 6 first indent of the Schengen Protocol, an agreement has been signed on 18 May 1999 between the Council, Norway and Iceland in order to associate those two countries with the implementation, application and development of the Schengen acquis i.
Article 1 of this agreement stipulates that Norway and Iceland are associated with the activities of the EC and the EU in the areas covered by the provisions referred to in Annexes A (provisions of the Schengen acquis) and B (provisions of acts of the European Community, which have replaced corresponding provisions of, or adopted pursuant to, the Schengen Convention) of the agreement as well as by those which will follow from them.
According to Article 2 of the agreement, the provisions of all acts or measures taken by the European Union amending or building upon the integrated Schengen Acquis (Annex A, B) shall be implemented and applied by Norway and Iceland.
In Annex B is included Council Regulation (EC) 1683/95 of 29 May 1995 laying down the uniform format for visas. The Regulation amending Regulation (EC) 1030/2002 laying down a uniform format for residence permits for third country nationals build upon the Schengen acquis as defined in Annex A of the agreement.
As a consequence the matter has to be discussed in the 'Mixed Committee' as provided for in Article 4 of the Agreement to give the possibility to Norway and Iceland 'to explain the problems they encounter in respect of ' the measure and 'to express themselves on any questions concerning the development of provisions of concern to them or the implementation thereof'.
Article 5 of the EC Treaty provides that 'action by the Community shall not go beyond what is necessary to achieve the objectives of this Treaty'. The form taken by Community action must be the simplest form allowing the proposal to attain its objective and to be implemented as efficiently as possible.
As the proposed initiatives developing the Schengen acquis intend to amend two Regulations, which should assure a harmonised application in all Member States applying the Schengen acquis, the form of a regulation has been chosen.
The harmonisation of document formats and of their security features will provide a guarantee against counterfeiting. By preventing forgery and counterfeiting of travel and residence documents the Commission intends to enhance the high level of security, a target set out both by the Treaty and the European Council of Thessaloniki. This level of harmonisation can only be reached by Community action as already demonstrated by the adoption of several other instruments aiming at making documents more secure.
The proposals related to the integration of biometrics into the uniform formats of the visa and the residence permit are intended to make them more secure, legally binding and easy adaptable to new circumstances given the risk of counterfeiting and forgery of the two documents, which should meet special situations for crossing of the external borders of the European Union and should therefore be the same throughout the EU. In addition they provide for a reliable link between the document and its holder. The main reason for preferring regulations to directives is that the proposal provides for a total harmonisation of the layout of such documents, and their biometric identifiers, thus leaving no room for discretion to the Member States.
It is rather difficult to specify the exact financial impact of these legislative measures, as the exact requirements are not yet known and will be established by the Committee created by Article 6 of Regulation (EC) 1683/95 laying down a uniform format for visas.
In any event, it should be recalled that the necessary technical equipment has to be installed for the integration of the photograph according to high security standards into the visa and the residence permit for third country nationals and for the VIS system. The following technical requirements seem to be necessary:
- Storage medium
For the time being, the most appropriate storage medium is a contactless microchip. The microchip is necessary for the storage of the biometric information and the security code (PKI digital signature). ICAO recommends as a minimum standard a 32 K chip. However, as it is necessary to store a facial image and two fingerprint images, a 64 K chip would be more appropriate, especially if Member States wish to add some alphanumeric data.
The cost of such microchip is not yet known. The technology is developing rapidly and with the demand of chips needed for 25 Member States, the price will drop significantly. The Commission could also make a 'grouped order' after a call for tender in order to obtain a better price.
- Enrolment equipment
Member States have to install enrolment equipment in the place where the data will be produced. Two biometrics (face and fingerprint) would mean either two enrolment systems or one combined system (e.g. desktop solution with camera and fingerprint capture station.) The prices of one-fingerprint enrolment device are much lower than equipment with which more fingers can be enrolled. To make sure that the data can be used for a long period of time (up to 10 years) the equipment should be of high quality.
- Verification systems
Verification systems have to be installed at border posts. They would have to be designed and built to handle the information 'quickly' as Member States would not want people to wait at the border control for hours. They have to be designed not only for positive scenarios (where everything works) but alsobe robust enough to cope with difficulties.
- Data management
Security would be a critical factor for success and acceptance of the system.
The first paragraph adds two points to Article 2 of both Regulations giving the powers to the Committee created by Article 6 of Regulation 1683/95 laying down a uniform format for visas to establish additional technical specifications in relation to the integration of biometric identifiers.
The second paragraph sets out a change to Article 4 of both Regulations. It is necessary in order to allow the integration of biometric elements but limiting the personal data stored on the visa to those indicated either in the Regulation itself, its Annex or in the relevant passport of the person. It must be avoided that other information can be stored.
The third paragraph adds Article 4a, which sets out the choice of the biometric identifiers and allows the integration into the two formats. It also specifies that the biometric identifier(s) shall be stored on a storage medium with sufficient capacity. It could be a contactless chip but also another storage medium with the required capacity, to be determined by the technical experts in the responsible committee. Furthermore it gives the power to the Committee to determine the technical requirements in order to obtain two fingerprint images.
In its fourth paragraph, the text of the existing Regulations is adapted in order to bring forward the date for the implementation of the photograph. The Commission decision on the integration of the photograph in relation to the visa was taken on 3 June 2002 and for the residence permit on 14 August 2002. The final implementation date will therefore be fixed for the visa on 3 June 2005 and for the residence permit for third country nationals on 14 August 2005.
As Member States wish to put the measure in place urgently, the implementation of the facial image shall be fixed two years after the adoption of the respective technical specifications and for the fingerprints three years after the adoption of the technical specifications in order to give slightly more flexibility.
This is a standard formula for the entry into force.
Biometrie
// (International Scientific Vocabulary, Date: 1831): the statistical analysis of biological observations and phenomena from the Greek bios (life) and metron (measurement). A biometric is a measurable physiological or behavioural trait of a living person, especially one that can be used to identify a person or a claimed identity. Since a biometric is uniquely bound to a person, it provides the strongest single factor for user authentication.
// The process of providing the fingerprints as biometric data for further use in the biometric systems
Facial image
// The photograph of the face in digital form -in contrast to the template
Facial recognition
// The system locates the human face within an image captured by a video camera or digital photograph and takes that face and isolates it from the other objects captured within the image. Software then analyzes the captured images for general facial structures such as eyes and nose and measures and determines the rest of the face. Other imaging methods include three-dimensional mapping (using a laser range scanner, instead of a camera) and thermal imaging of blood vessels under the skin. This result is compared to the face of the person, where the same image capturing procedure is used in order to verify the claimed identity
High resolution electronic portrait
// The digital photograph of a very high quality
Interoperability
// The different systems will be able to work with the same digital image (a digital image of a fingerprint enrolled in Germany can be read in France and vice versa) so that it is independent from equipment vendors.
// also: Identification: The process of determining a person's identity through a database search against multiple templates or images.
// Also: Verification: A comparison of two templates or images to establish the validity of a claimed identity. The process of claiming an identity and subsequently verifying the claimed identity.
// Asymmetric cryptographic systems use two keys in order to secure information: a public and a private key. The mathematical relationship between the two keys is such that knowledge of one key cannot be used to deduce the other. Thus, one key can be made publicly available (public key) while the other remains secret (private key).
// Distinctive encoded files derived from the unique features of a biometric sample or biometric data. (dependent on software systems of vendors)